The Federal Government's Strange Cyber-Defamation Case Against Bret McDanel:
By CHRIS SPRIGMAN
|Thursday, Sep. 25, 2003|
Bret McDanel once worked for Tornado Development, Inc., a Los-Angeles-based firm that provided Web-based email and voice mail services. While employed there, he discovered a serious security flaw in the company's email system, which intruders could exploit to read customers' private messages. He brought the flaw to the company's attention, but it wasn't fixed.
Some time after he left Tornado, between August 31 and September 5, 2000, McDanel sent a single, anonymous email to approximately 5,600 Tornado customers. The email described the security flaw, and directed customers to a website McDanel had set up providing more information.
In response, Tornado shut down its system and attempted to delete McDanel's email from their customers' accounts. Ultimately, Tornado plugged the security hole.
But that wasn't the end of the matter. Federal prosecutors charged the 29-year-old McDanel with violating the Computer Fraud and Abuse Act (CFAA). And, after a bench trial before Judge Lourdes Baird of the U.S. District Court for the Central District of California, McDanel was convicted and sentenced to 16 months in prison.
McDanel has served his sentence, but he has filed an appeal. (His attorney is Jennifer Granick, Executive Director of the Stanford Law School Center for Internet and Society (CIS).)
In this column, I will explain why McDanel should never have been prosecuted in the first place - and why his prosecution has caused serious harms to free speech.
The Basis for McDanel's Prosecution: A CFAA Section Designed For Worms
The security flaw McDanel pointed out was surprisingly obvious: Tornado's system displayed a user's login credentials as part of the URL displayed in the address bar of the user's Web browser - where it could be noted by passersby. Moreover, and more seriously, when a Tornado user left the Tornado email website, the next website he or she visited could capture his or her login credentials in a log that automatically keeps track of visitors. Thus, anyone with access to that second website's logs could then use the credentials to access the user's account.
At trial, the government did not contest the existence of the security flaw, although the prosecutor did contend that parts of McDanel's emails had overstated its seriousness. To the contrary, the prosecution accepted that McDanel's emails contained truthful speech - speech that is therefore First Amendment-protected.
Tornado might have tried to go after McDanel civilly under "trespass to chattels" law - but at the time he sent the emails, though he was no longer an employee, he was still authorized to send mail through Tornado's systems. (He had been allowed to keep his user account when he left his employment there.) Thus, Tornado had to seek other bases on which to go after McDanel.
Unfortunately for McDanel, Tornado convinced the federal government to act. McDanel was charged with violating Section 1030(a)(5)(A) of the CFAA. That section prohibits transmission of code, programs or information with the intent to cause damage to a protected computer.
Typically, this section is invoked to target the transmission of malicious code such as worms, viruses, and Trojan horses - code that deletes or alters data, captures confidential information, or facilitates unauthorized access. But McDanel's emails did none of these things - they were simply ordinary email messages.
So what "damage" to anyone's computer was done by alerting customers to a security vulnerability? Didn't McDanel's email, instead, allow customers to protect their computers by pressuring Tornado to fix the security flaw?
I believe so. But the government had two theories to explain the purported "damage" to Tornado's computers. Neither holds water.
The "Reputational Damage" Theory: Why It Doesn't Work
The government argued at trial that McDanel's emails "damaged" Tornado's computers by alerting the public to the email system's security flaws. But McDanel's emails didn't really damage Tornado's computers, which is the trigger for liability under the CFAA; rather, the emails merely informed users of an existing (and fairly obvious) insecurity in Tornado's systems. What was really damaged was Tornado's reputation, and its relationship with its customers.
Plainly, such damage isn't damage to a computer as the CFAA requires. In addition, there is no indication in the legislative history of the CFAA that Congress intended to criminalize reputational harm - as opposed to harm to a computer - or even thought about the issue at all.
In light of this, it is obvious that McDanel was not on notice - as the Constitution requires that targets of criminal prosecution must be - that he could be criminally pursued for sending truthful emails over a system he was authorized to use. As a result, his prosecution violated constitutional Due Process requirements.
Moreover, there is a second, constitutional problem with predicating a prosecution on reputational damage - in such a prosecution, truth, as a matter of First Amendment law, must be a defense. And although they did argue that McDanel had overstated the dangers created by the security flaw, the government did not dispute that the security flaw that McDanel described existed.
Speech that causes harm to reputation is the traditional province of civil defamation law. (Criminal defamation laws remain on the books in 16 states, but are rarely used). And it is there that the principle that a true statement's reputational harm cannot be the basis for a legal action has arisen. But that principle transcends the defamation context. The protection of truthful speech is at the core of the First Amendment.
The "Server Overload" Theory: Why It Doesn't Work Either
The government's other theory to explain the supposed "damage" was that the emails had overloaded, and thus slowed down, Tornado's servers. But that's ridiculous: While 5,600 emails may sound like a lot, it is a drop in the bucket for the average email server.
In Intel v. Hamidi - a case similar to McDanel's, except that there the access was unauthorized, and a trespass suit resulted - the California Supreme Court recently held that there was no evidence that six emails, each reaching as many as 35,000 employees, harmed Intel's email server. As the court pointed out, the number of messages sent was "miniscule compared to the amounts of mail sent by commercial operations." The same is true for McDanel's 5,600 emails.
Granted, as an anonymous commentator on Slashdot has suggested, it is conceivable that even this relatively modest number of emails might have slowed Tornado's system if it was very ill-designed (and that McDanel, if he knew about the poor design, might have anticipated this).
But the government did not present any evidence to this effect at trial. Instead, it presented testimony - which the trial judge apparently accepted - that 5,600 emails were enough to burden Tornado's servers.
In the context of a competently-functioning corporate email system, that assertion beggars belief. It is like saying that a straw quite literally broke a camel's back.
The First Amendment Cost of the McDanel Prosecution
Brett McDanel's prosecution was a grave injustice. So was the year and four months he spent in jail. And the damage done is much graver even than that.
The government's prosecution of McDanel will chill the open discussion of computer security flaws. Yet such discussion is necessary to properly disseminate vulnerability information, and incentivize timely security improvements.
Especially given the very real prospect of terrorism, discouraging publication of information about security vulnerability - when it is provided to the very persons and companies who are vulnerable - is foolish indeed. Realizing this, the federal government sponsors several fora that provide detailed information to the public on computer security flaws. These fora include FedCIRC (run by the Department of Homeland Defense) and the federally funded CERT Coordination Center at Carnegie Mellon University.
On the one hand, then, the federal government is encouraging open discussion of computer security issues through projects like CERT and FedCIRC. But on the other hand, through vehicles such as the McDanel prosecution, it is simultaneously attempting to squelch this very type of discussion.
It's time for John Ashcroft to call Tom Ridge - and to listen to what he has to say. Let's hope Ridge prevails. Silencing disgruntled employees ought to be a far lower priority for our country than vital cybersecurity is.
The McDanel prosecution was a disgrace. The CFAA ought to be used not against the McDanels of the world, but against the true cybervillains - the worm and virus spreaders - whom Congress meant it to target.