Why Hackers Don’t Win Too Often

A curious article by Sarah Laskow in the Columbia Journalism Review is entitled “The Lawyers Hackers Call.”  It’s a piece about the team defending Matthew Keys, the latest case under the Computer Fraud and Abuse Act that sunk Andrew Auernheimer, better known as Weev.

The federal government was alleging that Keys, then a social media editor at Reuters, had conspired with the infamous group Anonymous to hack the Los Angeles Times’ website. Keys, according to the government, had given the hackers access, and off they went. They managed to, as the Department of Justice put it, “make changes to the web version of a Los Angeles Times news feature,” changing a headline to “Pressure builds in House to elect CHIPPY 1337,” and the text of article to report on a “deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.”

Like Auernheimer, Keys would face charges under the Computer Fraud and Abuse Act, and he needed a lawyer.

While this might be dismissed as a puff piece by a non-lawyer who lacked the slightest clue what she was writing about, it gains some cred via Orin Kerr at Volokh Conspiracy, who then refers back to a similar post of his about how to find a computer crime lawyer.

Laskow’s post is an homage to a young lawyer, Tor Ekeland, who defended Weev and thus made his bones within the hacker community.  Tor’s girlfriend stumbled upon Weev while taking photos at Occupy Wall Street, and learned that he was under indictment and unhappy with his public defender.  She had a boyfriend for him.

She came home and told Ekeland, who had recently left a job in Big Law and was planning on striking out on his own. He googled Auernheimer, realized that—whatever the outcome—the case could make a difference, long term, in how the law was interpreted. Ekeland had never tried a case in federal court before. But Auernheimer, Ekeland said, didn’t see that as a problem. “I told him my stats, and he was like, ‘Okay, let’s go.’”

There are a few critical things to note here. Tor, unlike other inexperienced lawyers, was brutally honest with Weev, telling him that he had never tried a federal case  before and was, in effect, marginally qualified to take on his representation.  But Weev wanted Tor, experienced or not.  As an aside, I discussed this with Tor, and was and remain impressed with Tor’s recognition of his strengths and weaknesses, and his abiding concern for his client.

I also suspect that one of the aspects of Weev’s desire to have Tor as his lawyer was that a more experienced lawyer would never have let Weev shoot his mouth off as he did, screw up his own defense at every turn and seize control of his defense so that it would become a platform for hacker politics rather than a defense against a criminal accusation and, more importantly from a broader perspective, a major case in the interpretation of one of the most important, and worst conceived, criminal laws going forward, the CFAA.

Having served as Weev’s guy, Tor gained a reputation among the hacker community as a go-to lawyer for computer crime.  What makes this significant for the rest of us is that computer crime, and the interpretation of the CFAA as to what it and is not illegal, is at a crossroads.  As the integration of computers into our world and lives grows and changes, the impact of this law, enacted in 1986 when we were damn near clueless about what the future of computers would be, is huge.

For lawyers, one of the attractive aspects of computer crime is that the legal questions at issue haven’t been settled. They can see how the cases they take on now could define the shape of digital law for years to come—and there are more of those cases than ever before. “I think the CFAA has been a favored tool of federal prosecutors,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation. “My instinct is that it’s growing in popularity.”

The CJR article goes down a troubling path, not because of its homage to Tor, but because it feeds into a dangerous ignorance that could have a devastating affect on the future of computer use. Hackers tend to be very smart when it comes to binary thinking, but that doesn’t translate into sound judgment when it comes to law or defending themselves.  This became painfully apparently in the aftermath to the Aaron Swartz suicide, when the hacktivist community engaged misguided assumptions and a remarkably narcissistic world view.

The problem is that while hackers will be at the leading edge of prosecutions under the CFAA, it will eventually filter down to everyone else, and we will be left with the law developed by the lawyers they select.  In other words, we’re going to live with results of their choices, for better or worse.

At the moment, there is no such thing as a computer crime bar, a cadre of lawyers who specialize in computer crime. There are a few academics who are interested in it and do a great deal of writing about it, such as Orin and Jennifer Grannick at Stanford’s Center for Internet and Society. Indeed, they authored amicus briefs on Weev’s appeal of his conviction. Of course, the point of a defense in a criminal prosecution is to not lose in the first place, rather than rally the troops on appeal.

But the academic perspective elevates subject matter concerns over defense concerns, as reflected in Orin’s advice on how to find a computer crime lawyer:

The problem with finding a good defense lawyer for a computer crime case is that most defense lawyers are generalists.  Defense lawyers often have solo practices, or work in small firms, and they take a very wide range of cases. They specialize in defending individuals against criminal charges, not in particular types of crimes.  As a result, it is very hard to find a criminal defense lawyer with genuine expertise and experience in litigating computer crime cases — someone who can handle the statutory issues, knows how to handle expert witnesses, can raise needed Fourth Amendment challenges, and the like.

While there is certainly merit to having a lawyer with “genuine expertise and experience” in litigating computer crime, it fails to reflect a basic grasp of the need for a lawyer with “genuine expertise” in the skills necessary to defend a crime at all, such as criminal procedure, trial and the beloved cross-examination.  Orin, for example, may be extremely knowledgeable in the nuances of the CFAA, but would you want him crossing a witness?

Orin goes on to reach a more reasonable conclusion, though for the wrong reasons:

As a result, I think the best path for many defendants is just to hire a good defense lawyer with a good reputation, regardless of expertise in computer issues, and then to consider supplementing that lawyer by discussing the case with a subject-matter expert who can flag some of the issues in the case that a generalist would likely miss.

There is an academic bias that one’s scholarly interests are so difficult to master, so finely nuanced and so deeply thoughtful that mere mortals could never grasp them without the help of more brilliant souls.  Whether that’s true isn’t entirely clear, given that most good lawyers are relatively capable of reading Orin’s law review articles and the caselaw, and getting the point. While there are some complex issues involved in the CFAA, they aren’t so complex that they are beyond the ken of a decent lawyer.

On the other hand, a lawyer fully versed in the Computer Fraud and Abuse Act, the various scholarly theories about what’s wrong with it and how it should be interpreted, but incapable or inexperienced in trying a case, faces a tough road. It’s a lot easier to learn the CFAA than it is to gain a decade or two of trial experience overnight, despite what articles like those in the CJR tell hackers.

Update:  This should have been in the initial post, but Laskow wrote another piece entitled “Find the best defense attorney you can,” with the subtitle. “Hackers being prosecuted under the CFAA don’t just need digital experts; they need good defense against a law vague enough to encompass most anything.”

Most criminal defendants, whether fighting a DUI or fighting Computer Fraud and Abuse Act charges, have a small legal team, often just one overtaxed defense attorney. Matthew Keys, the social media editor who’s accused of helping Anonymous vandalize the Los Angeles Times’ website, has not just Tor Ekeland on his team, but also Jay Leiderman, another lawyer developing something of a reputation as a specialist in hackers charged by the government with violating the CFAA.

If Ekeland fell into this field almost by accident, Leiderman took a slightly more deliberate path. His first CFAA client was Commander X, an Anonymous-affiliated hacker—a job Leiderman retained by suggesting it on Twitter. It “sort of got picked up,” he says. “Once I represented X, he thrust me into the rest of it,” says Leiderman, “X’s opinion was — ‘Oh, you’re not just my lawyer. You’re the lawyer for Anonymous; you’re the lawyer for every hacker that ever lived.’”

This is closer to what I’m talking about, and my apologies to Laskow for not having incorporated it in the main post.  Yet it goes on:

Still, legal expertise does count for something: Even if a defendant need not call one of these lawyers who specializes in the CFAA, her lawyer probably will.

Much as the academics and Laskow remain married to the proposition that CFAA is far too hard and complex for mere lawyers (though nobody seems to remember that it’s decided by judges, who suffer the same apparent stupidity as non-computer law experts), it’s just not that hard or off the beaten trail that any good criminal defense lawyer couldn’t become expert at it within a short period of time with the normal effort we employ with every case we defend.


11 thoughts on “Why Hackers Don’t Win Too Often

  1. Fubar

    Couple of points. First, praise by faint damns. You aren’t quite pessimistic enough here:

    “The problem is that while hackers will be at the leading edge of prosecutions under the CFAA, it will eventually filter down to everyone else, …” [Emphasis mine.]

    Prosecution under the CFAA has already “filtered down to everyone else.” Prosecuting Lori Drew was application of the CFAA to acts that the rest of us inadvertently commit every day: violation of express but unread terms of service of some websites. The “filter” was a hole capable of sinkng the Titanic. Had Prof. Kerr and the defense team not prevailed, there would be little legal reason for DOJ not to inundate courts with prosecutions of ordinary people just for giggles. Political reasons maybe, but no legal reason.

    Second, your points on selecting a defense lawyer and selection’s inherent problems cannot be shouted loudly enough from high enough rooftops. I think your observations particularly on trial experience priority could save lives.

    If I might add one footnote based on empirical observation, though entirely anecdotal and not statistical — the right technical expert witness can be worth his weight in platinum. I know one such technical expert who caused immediate dismissal of some charges in federal prosecutions by little more than being on the witness list and making a brief statement during discovery. And, as I recall his fee was for only a few hours work at a rate less than the attorney’s.

    Such dramatic results are not always the case, of course. But my broader point is that some prosecutions for computer crime have at best a flimsy technical basis, as distinct from legal basis.

    1. SHG Post author

      Yeah, I thought about the Lori Drew case when I wrote the post, but it was too much of an outlier at the time and, in any event, crashed and burned. There are no doubt other cases as well, even if I’m unaware of them, that are similarly non-hacker related. But it’s hard to make a point while trying to cover every instance, and losing the forest in the trees. So, I do the best I can to make the point I think needs to be made. Sometimes, it’s a bit imperfect.

  2. Marilou Auer


    Experience and trial competence are built over time and not acquired by virtue of expertise in another field. A lawyer who is going to do a credible job of defending CFAA violations still needs the basics, which one gains by going to trial every day, seeking input from a mentor every day, and learning, every single day. Credibility does not happen overnight.

    Until the gap is closed between experienced criminal defense and CFAA expertise, a wise defendant will present himself at court with a carefully chosen team.

    And Tor would be wise to establish such relationships until he’s ready to go it alone.

    1. SHG Post author

      I know that Tor appreciates this point, and that he’s hooked up with Leiderman, a more experienced trial lawyer, on the Key case. Be careful about overthinking the CFAA expertise aspect. While those who obsess over it place great weight on that expertise, it’s really not that complicated that a good lawyer can’t be an “expert” fairly quickly. While expert witnesses (as Fubar mentions) are critical, an appreciation of the nuances of the CFAA can be gotten fairly easily with the normal effort a good lawyer employs in defending any federal prosecution.

      1. Stephen

        Yeah, it’s a piece of legislation. It’s designed to be read using the same rules and techniques as any other piece of legislation. It’s hard to stand out from other lawyers at trial by understanding the statute your client is being prosecuted under.

        1. SHG Post author

          By no means do I denigrate anyone with strong subject matter knowledge, and indeed, having seen lawyers at trial who don’t have a clue what the law (or even the elements) of a crime are, the absence of knowledge is devastating and inexcusable. But subject matter knowledge without the rest of the arsenal needed to defend isn’t enough.

  3. Jim March

    I know that when the law gets “geeky” things get very, very ugly.

    I have been an expert witness in electronic voting cases, and have been the prime technical consultant in a whole series of election-related lawsuits in Arizona. Like the various “hacker cases” the technicalities can trip up lawyers on both sides. We had a very experienced litigation attorney who knew squat about computers and it was a constant frustration.

    Part of what we did to solve this was to have me sit by the attorney as his personal geek advisor the whole way through. This included depositions and in court. At depos I would rig up a laptop with two monitors, one for me, one for the attorney so that when we were questioning, say, the head elections tech for Pima County AZ (a quasi-geek himself) if he tried to worm out of a question via techno-babble (and trust me, they tried) I could type up commentary and suggested follow-up questions in realtime for our attorney…or worst case call a time-out if the bull$hit quotient was getting too out of control.

    Same in court, to a lesser degree of course.

    I think in the hacker cases, if the lawyer himself isn’t any kind of geek and can’t bone up on the technical aspects fast or deep enough, a geek/lawyer partnership is going to be necessary. The geek half of the team has to be at least a quasi-paralegal, with excellent written communications skills…likely somebody with a tech support or sysadmin type of background with at least a sideline in technical documentation.

    The geek-a-legal or whatever we call this position needs to be able to do precise briefing papers in a page or so tops, outlining key points as they relate to an area of law.

    Jim March

    1. SHG Post author

      There are two separate issues here, one being the subject of this post and a second being the subject of your comment. The post is about specialty in a specific sub-niche of the law, but it doesn’t necessarily mean that the lawyer has the same technical expertise as the expert would have. Indeed, having too much technical expertise can present a very serious problem in itself, as experts are so busy jousting over jargon and competing concepts that they fail to remember the jurors sitting there without a clue what anyone is talking about.

      I’ve often had to “tone down” experts who were so caught up in the minutiae of their subject that they became incapable of conveying the point to a lay jury. At trial, the point isn’t to be right, but to persuade the jury that you’re right. If the expert talks over the jurors’ heads, they serve no purpose. Experts frequently overestimate the knowledge of jurors or that they will appreciate nuances that matter enormously to experts but not so much to anyone else.

      Still, whenever the subject matter of a case requires technical expertise, it’s always important for the lawyer to have not only a sufficient working knowledge so he can understand and appreciate what’s happening, but an expert who can provide the additional level of expertise necessary.

      1. Jim March

        Well the specific area of techie-dom that translates “geek speak” into lay language is called “tech support”. Or “end user training/support” or whatever. Ideally a “geek lawyer” would be good at such translation issues; if there’s a “geek trial consultant” as I served in for the Pima election cases, that expert needs to have the lay translation skills necessary to help both his side’s attorney(s) and the jury/judge understand what’s going on.

        1. SHG Post author

          Yes, it may be important to “translate” language with which the judge and jury may be unfamiliar into more user-friendly language, but any lawyer who doesn’t have that level of familiarity and more with a case going to trial has no business trying the case. It’s true of all substantive criminal statutes, CFAA included. CFAA is not unique in this regard.

  4. Pingback: Lavabit’s Levison’s Really Bad Call | Simple Justice

Comments are closed.