A curious article by Sarah Laskow in the Columbia Journalism Review is entitled “The Lawyers Hackers Call.” It’s a piece about the team defending Matthew Keys, the latest case under the Computer Fraud and Abuse Act that sunk Andrew Auernheimer, better known as Weev.
The federal government was alleging that Keys, then a social media editor at Reuters, had conspired with the infamous group Anonymous to hack the Los Angeles Times’ website. Keys, according to the government, had given the hackers access, and off they went. They managed to, as the Department of Justice put it, “make changes to the web version of a Los Angeles Times news feature,” changing a headline to “Pressure builds in House to elect CHIPPY 1337,” and the text of article to report on a “deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.”
Like Auernheimer, Keys would face charges under the Computer Fraud and Abuse Act, and he needed a lawyer.
While this might be dismissed as a puff piece by a non-lawyer who lacked the slightest clue what she was writing about, it gains some cred via Orin Kerr at Volokh Conspiracy, who then refers back to a similar post of his about how to find a computer crime lawyer.
Laskow’s post is an homage to a young lawyer, Tor Ekeland, who defended Weev and thus made his bones within the hacker community. Tor’s girlfriend stumbled upon Weev while taking photos at Occupy Wall Street, and learned that he was under indictment and unhappy with his public defender. She had a boyfriend for him.
She came home and told Ekeland, who had recently left a job in Big Law and was planning on striking out on his own. He googled Auernheimer, realized that—whatever the outcome—the case could make a difference, long term, in how the law was interpreted. Ekeland had never tried a case in federal court before. But Auernheimer, Ekeland said, didn’t see that as a problem. “I told him my stats, and he was like, ‘Okay, let’s go.’”
There are a few critical things to note here. Tor, unlike other inexperienced lawyers, was brutally honest with Weev, telling him that he had never tried a federal case before and was, in effect, marginally qualified to take on his representation. But Weev wanted Tor, experienced or not. As an aside, I discussed this with Tor, and was and remain impressed with Tor’s recognition of his strengths and weaknesses, and his abiding concern for his client.
I also suspect that one of the aspects of Weev’s desire to have Tor as his lawyer was that a more experienced lawyer would never have let Weev shoot his mouth off as he did, screw up his own defense at every turn and seize control of his defense so that it would become a platform for hacker politics rather than a defense against a criminal accusation and, more importantly from a broader perspective, a major case in the interpretation of one of the most important, and worst conceived, criminal laws going forward, the CFAA.
Having served as Weev’s guy, Tor gained a reputation among the hacker community as a go-to lawyer for computer crime. What makes this significant for the rest of us is that computer crime, and the interpretation of the CFAA as to what it and is not illegal, is at a crossroads. As the integration of computers into our world and lives grows and changes, the impact of this law, enacted in 1986 when we were damn near clueless about what the future of computers would be, is huge.
For lawyers, one of the attractive aspects of computer crime is that the legal questions at issue haven’t been settled. They can see how the cases they take on now could define the shape of digital law for years to come—and there are more of those cases than ever before. “I think the CFAA has been a favored tool of federal prosecutors,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation. “My instinct is that it’s growing in popularity.”
The CJR article goes down a troubling path, not because of its homage to Tor, but because it feeds into a dangerous ignorance that could have a devastating affect on the future of computer use. Hackers tend to be very smart when it comes to binary thinking, but that doesn’t translate into sound judgment when it comes to law or defending themselves. This became painfully apparently in the aftermath to the Aaron Swartz suicide, when the hacktivist community engaged misguided assumptions and a remarkably narcissistic world view.
The problem is that while hackers will be at the leading edge of prosecutions under the CFAA, it will eventually filter down to everyone else, and we will be left with the law developed by the lawyers they select. In other words, we’re going to live with results of their choices, for better or worse.
At the moment, there is no such thing as a computer crime bar, a cadre of lawyers who specialize in computer crime. There are a few academics who are interested in it and do a great deal of writing about it, such as Orin and Jennifer Grannick at Stanford’s Center for Internet and Society. Indeed, they authored amicus briefs on Weev’s appeal of his conviction. Of course, the point of a defense in a criminal prosecution is to not lose in the first place, rather than rally the troops on appeal.
But the academic perspective elevates subject matter concerns over defense concerns, as reflected in Orin’s advice on how to find a computer crime lawyer:
The problem with finding a good defense lawyer for a computer crime case is that most defense lawyers are generalists. Defense lawyers often have solo practices, or work in small firms, and they take a very wide range of cases. They specialize in defending individuals against criminal charges, not in particular types of crimes. As a result, it is very hard to find a criminal defense lawyer with genuine expertise and experience in litigating computer crime cases — someone who can handle the statutory issues, knows how to handle expert witnesses, can raise needed Fourth Amendment challenges, and the like.
While there is certainly merit to having a lawyer with “genuine expertise and experience” in litigating computer crime, it fails to reflect a basic grasp of the need for a lawyer with “genuine expertise” in the skills necessary to defend a crime at all, such as criminal procedure, trial and the beloved cross-examination. Orin, for example, may be extremely knowledgeable in the nuances of the CFAA, but would you want him crossing a witness?
Orin goes on to reach a more reasonable conclusion, though for the wrong reasons:
As a result, I think the best path for many defendants is just to hire a good defense lawyer with a good reputation, regardless of expertise in computer issues, and then to consider supplementing that lawyer by discussing the case with a subject-matter expert who can flag some of the issues in the case that a generalist would likely miss.
There is an academic bias that one’s scholarly interests are so difficult to master, so finely nuanced and so deeply thoughtful that mere mortals could never grasp them without the help of more brilliant souls. Whether that’s true isn’t entirely clear, given that most good lawyers are relatively capable of reading Orin’s law review articles and the caselaw, and getting the point. While there are some complex issues involved in the CFAA, they aren’t so complex that they are beyond the ken of a decent lawyer.
On the other hand, a lawyer fully versed in the Computer Fraud and Abuse Act, the various scholarly theories about what’s wrong with it and how it should be interpreted, but incapable or inexperienced in trying a case, faces a tough road. It’s a lot easier to learn the CFAA than it is to gain a decade or two of trial experience overnight, despite what articles like those in the CJR tell hackers.
Update: This should have been in the initial post, but Laskow wrote another piece entitled “Find the best defense attorney you can,” with the subtitle. “Hackers being prosecuted under the CFAA don’t just need digital experts; they need good defense against a law vague enough to encompass most anything.”
Most criminal defendants, whether fighting a DUI or fighting Computer Fraud and Abuse Act charges, have a small legal team, often just one overtaxed defense attorney. Matthew Keys, the social media editor who’s accused of helping Anonymous vandalize the Los Angeles Times’ website, has not just Tor Ekeland on his team, but also Jay Leiderman, another lawyer developing something of a reputation as a specialist in hackers charged by the government with violating the CFAA.
If Ekeland fell into this field almost by accident, Leiderman took a slightly more deliberate path. His first CFAA client was Commander X, an Anonymous-affiliated hacker—a job Leiderman retained by suggesting it on Twitter. It “sort of got picked up,” he says. “Once I represented X, he thrust me into the rest of it,” says Leiderman, “X’s opinion was — ‘Oh, you’re not just my lawyer. You’re the lawyer for Anonymous; you’re the lawyer for every hacker that ever lived.’”
This is closer to what I’m talking about, and my apologies to Laskow for not having incorporated it in the main post. Yet it goes on:
Still, legal expertise does count for something: Even if a defendant need not call one of these lawyers who specializes in the CFAA, her lawyer probably will.
Much as the academics and Laskow remain married to the proposition that CFAA is far too hard and complex for mere lawyers (though nobody seems to remember that it’s decided by judges, who suffer the same apparent stupidity as non-computer law experts), it’s just not that hard or off the beaten trail that any good criminal defense lawyer couldn’t become expert at it within a short period of time with the normal effort we employ with every case we defend.