Reporters Committee analysis of U.S. government indictment of Julian Assange – Part II
In response to our analysis of the Justice Department’s Computer Fraud and Abuse Act conspiracy charge against Julian Assange, we’ve received questions about two specific aspects of the charge.
The first is whether it’s relevant that Chelsea Manning had authorized access to the Defense Department’s secret-level classified network, SIPRNet, and had already been sending Assange classified information for several months when she asked for help cracking a password. The second is whether it’s relevant that there’s no allegation in the indictment that Assange succeeded in helping Manning crack the password (or even tried).
Both are important considerations as we wait for possible additional charges or any other developments in the case, but neither suggest that these specific facts could serve as a ready model for a later case exposing the press to a high risk of prosecution under the CFAA. We discuss both questions below.
Why is it relevant that the alleged conspiracy started months earlier?
In paragraph four of the indictment, the government alleges that the conspiracy to violate the CFAA started in January 2010. By the time Manning asked about cracking a password (on March 8, 2010), she was already in the process of downloading material and uploading it to WikiLeaks.
The exchange between Manning and Assange on the messaging platform Jabber — which forms the basis for the “overt act” in service of the conspiracy — was introduced as an exhibit (#123) in Manning’s court martial in 2011. It was publicly posted and described in a 2013 report by Kevin Poulsen in Wired magazine. (The alleged password-cracking conspiracy starts on page six).
This is relevant for two reasons.
First, it highlights the fact that Manning had authorized access to the system. The applicable provisions of the CFAA cover accessing a computer “without authorization” or in a manner that “exceeds” authorized access.
The former is meant to cover “outsiders” trying to hack into a system that they don’t have any access to (like if Assange had attempted to crack the password and access SIPRNet himself).
The latter is intended to cover “insiders” who circumvent a technical access restriction, like a password, to obtain information that they are not allowed to view on the system. An example would be an employee who cracks a password to a private network drive on his or her local work network.
That latter piece about exceeding authorized access is important because both the government and private companies in civil lawsuits have tried to expand the legal definition of “exceeding authorized access” to mere violations of the terms of use of a computer system. In the Manning case, for instance, the crux of the military’s CFAA argument was that she had accessed SIPRNet in a “bad” way (in violation of the agreement Manning signed as a condition of employment on acceptable uses of the system).
When this author was at the Center for Democracy and Technology, we joined an Electronic Frontier Foundation amicus brief arguing that the government’s allegation was insufficient to state a violation of the CFAA. That is, unless the government could allege that Manning circumvented a technical access restriction to get at information that was not accessible from her SIPRNet account, a court’s acceptance of the military’s argument could risk morphing the CFAA from a hacking law into a general computer misuse statute.
This consideration also goes to whether the government can state a CFAA claim based on Manning booting the computer to the Linux operating system to get administrator privileges in order to access the hash value sent to Assange from her computer.
At first, it might appear that this does in fact look like circumventing a technical access restriction — but a workplace rule that says an employee can’t run an unauthorized program on a work computer is still just a “use” restriction. It’s not hacking. If it were, every time an employee installed Spotify on his or her work computer (assuming there’s a rule against running unauthorized programs), they would potentially be violating the CFAA.
An operating system is just another program, and the fact that Manning could get the hash value by booting the computer in another operating environment — Linux — actually shows that this wasn’t the circumvention of a technical access restriction. A technical access restriction would have been a software or hardware feature that blocked someone from booting into Linux.
The fact that the conspiracy was ongoing at the time the password-crack was discussed is also relevant to the alleged purpose of the conspiracy.
Manning’s existing access to the SIPRNet system may matter for Assange’s potential defenses. If this is the sum total of the charges against him, his lawyers will likely argue that the password-cracking agreement was not in service of a conspiracy to gain unauthorized access to SIPRNet, because Manning already had authorization, but was instead an attempt to cover Manning’s tracks.
The government’s response — and it’s a concern with the indictment itself — will likely be that the conspiracy was not to gain unauthorized access to SIPRNet, but to acquire and publish classified information that Manning already had access to. The password-cracking is the overt act in service of that broader purpose. That’s why a case with a similar “look” but without the password-cracking allegation would raise serious First Amendment problems.
Having said all that, we would still strongly counsel a reporter against offering to help crack a password even if engaged with a source with existing access to the government system at issue. That’s for two reasons.
One, depending on the system, it’s likely that logging in with another account would give the source access to information that she is technically walled off from because of the password gate. The most obvious example is email. According to the most recent acceptable use policy we could find, SIPRNet “provides classified communication to external DoD agencies and other U.S. government agencies via electronic mail.” That means logging in under someone else’s credential would give the source access to that person’s email — information that is technically outside her reach.
There could be an argument that it’s not a violation of section 1030(a)(1), which is the first section of the CFAA that Assange is alleged to have conspired to violate and that criminalizes hacking to get classified material. That is, the source in this scenario isn’t accessing classified information that she is not otherwise entitled to see. Regardless of whether it’s in someone else’s email, the source has a clearance to access any classified information at the level of her clearance.
But even then, there are issues with whether the source “needs to know” the information and the potential that the other user may have compartmented information in their account that the source, even with a top-secret clearance, wouldn’t have been “read-in on,” and therefore would be beyond the scope of their authorization. While SIPRNet is walled off as a technical matter from the Joint Worldwide Intelligence Communications System, which carries top-secret information, the use policy linked above notes that the release of top-secret information through SIPRNet is a possibility (see paragraph 4.e).
Also, and perhaps counter-intuitively, a lawyer to journalists and news outlets would want to preserve his or her organization’s ability to use hacking tools when they’re not being used to access a government network. For instance, a newsroom could receive encrypted files anonymously, and would have to crack the password to determine the newsworthiness of the files.
To avoid drawing a CFAA complaint based on that activity, the lawyer might want to avoid suggesting that the thing the CFAA was passed to address — unauthorized hacking of government systems, particularly through the use of automated means to “guess” a password — is outside the scope of the law.
We would be remiss, however, not to note the timing here. The government may have additional evidence that is not in the indictment, but the allegations in the indictment were not only reported on at length in Wired magazine in 2011, they were featured prominently in the Manning court-martial.
We won’t speculate as to anything else that could come out, but the public has a strong interest in understanding why this conspiracy claim was not brought under the Obama administration. The Washington Post reported in 2013 that the Justice Department had “all but concluded” it would not bring charges against Julian Assange because of what it called the “New York Times problem” — the fact that officials thought that if they brought a case against Assange they would have to indict other news organizations who published classified material. The public needs to know whether the Obama Justice Department considered this precise charge, based on these alleged facts. If so, and the Justice Department declined to indict Assange then, the public needs to know why.
What’s the legal relevance of Assange not succeeding at the password-crack?
There’s no indication on the face of the indictment that Assange managed to crack the password or even made an attempt. Raffi Khatchadourian, a staff writer for The New Yorker who wrote a recent profile of Assange, suggests that even the offer of help may have been “blustering — giving a key source the impression that WikiLeaks was more sophisticated than it really was.”
Without speculating as to the government’s evidence, what is the legal significance of Assange not actually cracking the password?
The lack of success is probably immaterial with respect to the underlying CFAA claim. Section 1030(b) in the CFAA covers both attempts and conspiracy to violate any portion of section 1030(a), including both provisions that are the basis for the conspiracy charge. This means an attempt to “knowingly access a computer without authorization or exceeding authorized access” to exfiltrate classified information would be covered. Additionally, section 1030(a)(1) includes “attempts to communicate, deliver, [or] transmit” classified information.
Interestingly, the indictment does not charge Assange with conspiracy under section 1030(b) in the CFAA. Rather, it uses the general conspiracy statute in the criminal code, 18 U.S.C. § 371. As the Justice Department’s manual for computer crime prosecutions explains (see pages 3 and 55-56), when Congress amended the CFAA to expressly include conspiracy in section 1030(b), it failed to update section 1030(c) to clarify the potential penalties. Section 1030(c) just specifies the penalty for an attempt to violate section 1030(a). It does not mention conspiracy.
This wrinkle is also relevant to the potential of using the theory of this case as a model for prosecutions involving the press that don’t involve password-cracking. Most conspiracy statutes, including section 371, require proof of some concrete action in furtherance of the conspiracy — an “overt act.” A conspiracy charge under Section 1030(b) does not.
The password-cracking in the indictment is the overt act in service of a broader claimed conspiracy to exfiltrate and publish classified information. The government would likely not have been able to state a section 371 claim without it (the government does allege the Linux boot as another overt act, but as we explain above, that claim is vulnerable to arguments that the boot is not unauthorized access).
The existence of a possible conspiracy case under section 1030(b) does raise the question of whether a conspiracy charge could apply to a hacking conspiracy in the leak context without any indication of an overt act in furtherance of the unauthorized access to the government system. Any conspiracy allegation that does not include specific assertions about the nature of the hacking would be concerning because of the absence of a definition of hacking in the law. For instance, a conspiracy complaint based on similar facts but without alleging a plan to actually crack a password would be an overreach.
Finally, what if this was “bluster,” as Khatchadourian wrote? This is one of the more interesting legal questions in the case.
The essence of a criminal conspiracy is the agreement, which has a particular legal meaning. As in contract law, an agreement requires a “meeting of the minds,” meaning that both parties understand what they’re agreeing to. For instance, an antitrust price-fixing conspiracy is actually about as close as one can get to a thought-crime in the United States. The element the government has to prove is the mindset of both parties. As soon as they mentally agree to set prices at a certain level, it’s strict liability.
The agreement element of a conspiracy can be proven through either direct or circumstantial evidence, including assertions by the alleged conspirator. Furthermore, the “agreement” as alleged in the indictment is to exfiltrate and publish classified information, not just to crack the password. It’s likely that even if a conspirator doesn’t intend to follow through with an overt act in furtherance of the conspiracy, the conspiracy has still been adequately pled if there’s agreement on the purpose of the conspiracy. The Congressional Research Service has a good run-down on general conspiracy law here.
***
I realize this is a lot of detail, and it’s the product of a few day’s worth of diving deep into the law and public record around this case. If you have any questions, comments, or potential corrections in either this post or our earlier analysis, I would be eager to hear. You can reach me on Twitter at @gabe_rottman or via email at grottman@rcfp.org.