"How did you get caught?" I ask Darren Martyn, aka Pwnsauce, the former member of LulzSec.
"Bad Opsec. Really, really bad Opsec," he says.
He tells me that he used to log on for his LulzSec romps using his school Internet account so it wasn't a surprise that he got caught. It was a surprise that it took them so long. He recounts for me the day he got busted, waking up in his bed in Galway, Ireland surrounded by policemen with machine guns. He closed his eyes and tried to go back to sleep; it was so surreal he assumed it must be a bad dream.
I'm in London to meet with Lauri Love, who's been indicted for computer crimes in three separate federal district courts in the US for allegedly going on a hacking spree involving various US governmental agencies' atrociously secured computer systems. I'm also there to see "Teh Internet is Serious Business" at the Royal Court Theater, playwright Tim Price's frenetic fantasia of LulzSec's rise and fall. I'm a lawyer who represents a lot of hackers, and part of the job is to know your clients and their world. Too many lawyers who take on computer crime cases have little clue when it comes to code or culture and their clients often suffer as a result. So I make it my business to know. Plus, I enjoy the transgressive nature of the scene.
Before the play the Royal Court hosted a livestreamed panel discussion moderated by anthropologist and "Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous" author Gabriella Coleman. The panel was made up of LulzSec members Kayla, Topiary, Tflow, and Pwnsauce. After the show we all mingle in the Royal Court's basement bar.
Celebrating with everyone after the show, it strikes me that this wouldn't be happening in the US, which treats hackers far more harshly than the U.K. does. In the US the members of LulzSec would still be in jail under inhumane conditions.
America's War on Hackers
My first hacker client, Andrew "weev" Auernheimer, was convicted for his role in downloading roughly 114,000 email addresses from AT&T's publicly facing, non-password protected iPad servers, and giving them to Gawker to expose AT&T's shoddy InfoSec. He never sold the email addresses or profited in any way from his purported crime. His actions came nowhere near the scope of LulzSec's. Yet he was sentenced to three and a half years in federal prison, fined roughly $73,000.00, and subjected to brutal treatment by the U.S. penal system as if he was a murderer or rapist.
Let me stop and mention here that last week weev caused a storm when he wrote a racist screed for a white supremacist website. As usual I found out about it when my twitter timeline lit up with exhortations to do something about my client, the unpopular defendant. To me his bigoted viewpoint is just noise; the crucial issue here is not weev or his ideas but the future of criminal computer law in the U.S. You may think weev is an asshole. But being an asshole is not a crime, and neither is obtaining unsecured information from publicly facing servers.
The U.S. prison system is a dystopian Dostoyevskian nightmare.
While in jail, weev spent much of his time in prison in administrative segregation – a brutal form of incarceration that is considered torture by many psychologists. After the director of prisons in Colorado spent 24 hours in a solitary cell, he set out to eliminate all solitary confinement in the state. In weev's case, he spent most of his time in a roughly 6×9 cell with one other prisoner. He was allowed out for only one hour a day. During the winter, weev's prison would often schedule that hour before dawn, which led him to never leave his cell due to the brutal cold. Toward the end, the prison began denying weev all mail and reading material in a vindictive attempt to isolate him further.
They also sought to isolate him from me. Our privileged attorney-client communications were routinely and illegally opened by the prison; when weev was interrogated by the FBI (while being denied an attorney) about one of his communications to me and complained about his privileged attorney-client mail being opened, one of the FBI agents told him that they "didn't give a fuck about the attorney client privilege." Unfortunately, this attitude is typical of many FBI agents; generally they believe they are above the law they are entrusted to enforce.
The prison continually ignored my phone calls and letters asking about his treatment. We were preparing to sue them with regard to this appalling treatment when the Third Circuit Court of Appeals unanimously reversed his conviction. Immediately after, the prison's phone system miraculously began working again. I've heard similar tales of nasty, brutish, and petty treatment when dealing with the U.S. penal system from other hackers I know who were thrown in jail for non-violent offenses.
Part of problem is that the U.S. prison system is a dystopian Dostoyevskian nightmare. But another part of it is engendered by the U.S. government's hysterical reaction to hackers and hacker groups like Anonymous, whom they breathlessly label (in a word that has become meaningless because of its ever expansive use) terrorists. We are all terrorists now. There is paranoia when it comes to hackers because what they do is poorly understood by most people and is viewed as a form of witchcraft by many. And the government is scared of hackers because unlike the physical world where they can overwhelm you with force, on the Internet a 14-year-old kid in his mom's basement is often more powerful than the best the government has. I know this because I've seen the government try to recruit my clients via indictments.
When one of my clients refused to cooperate with the FBI's demand that he hack a foreign criminal organization at the risk of death for him and his family, the DOJ superseded his indictment, skyrocketing it from fifteen to 44 counts, increasing his potential sentence to over 400 years in prison.
The U.S. government is brutal and relentless in its paranoid zeal to prosecute hackers even when the harm was negligible.
The government can't hack at the level those outside it can, and it can't recruit real hackers because of its cookie-cutter, astringent recruiting mentality as to what a proper person is. Witness its laughable attempt to recruit hackers that foundered on the fact that they couldn't find any that didn't smoke marijuana. I have yet to meet a hacker of the caliber they wish they could get who doesn't do drugs. So in their fear and impotence the government becomes hysterical and vindictive. Hackers are the new communists for the DOJ. And just like during the Red Scare, they seek to infiltrate and destroy that which they fear and do not understand.
The U.S. government is brutal and relentless in its paranoid zeal to prosecute hackers even when the harm was negligible. One of my clients, Matthew Keys, is on trial for allegedly passing a username and password to members of LulzSec that was then used to alter some words in one paragraph of a story on the LA Times website. The alleged alteration was rectified with a quick press of the restore button within half an hour. For this, Matthew faces a maximum of 25 years in prison and $750,000 in fines.
And of course the tragedy of Aaron Swartz's prosecution is well known. The behavior of the prosecutors in Aaron Swartz's case is becoming the norm, not the exception. The prosecutorial fervor of the U.S. DOJ when it comes to computer crime is too often disproportionate and misguided, and when coupled with the poorly drafted, ambiguous nature of the U.S. computer laws, is a recipe for prosecutorial abuse.
The U.K.'s More Measured Approach to Convicted Hackers
Contrast this with what happened to the members of LulzSec in the U.K. and Ireland.
On May 13, 2013, Topiary, Tflow, kayla, and Ryan Cleary were sentenced for their involvement in LulzSec. Yet, on September 29, 2014 I was attending a pre-show panel with all of them except Cleary before a performance of "Teh Internet is Serious Business"—a play that celebrated their collective. Now, consider the scope of just some of their hacking: HB Gary (destroying Aaron Barr's reputation in the process); Sony Pictures; Game maker Electronic Arts; The Tunisian Government; the U.K.'s Serious Organized Crime Agency; The CIA; The FBI; The Arizona State Police; The Westboro Baptist Church; The UK's Sun Newspaper; Fox Broadcasting Company; and PBS, to name just a few of their targets.
For this, Topiary served only 38 days in a young offenders unit. He had been wearing an electronic tag for 21 months under house arrest prior to sentencing and this was credited against his sentence. Kayla received a 30 month custodial sentence of which he was required to serve only half; Tflow received a suspended sentence of 20 months and 300 hundred hours of community service; and Pwnsauce avoided jail time by participating in a "restorative justice program." Ryan Cleary, a tangential member of LulzSec at best, got the harshest sentence of 30 months for unleashing his botnet army on SOCA and the CIA.
These punishments are more proportionate considering the non-violent nature of the offenses committed. In the U.S., LulzSec's members would undoubtedly still be in jail.
The only two members of LulzSec to escape prison sentences? Avunit, who was never caught, and Sabu. Sabu, of course, infamously snitched on his LulzSec colleagues and cooperated with the FBI from the moment they walked through his door. The FBI ran Sabu as a mole for months, instructing him to hack on their behalf in an effort to entrap LulzSec and other hackers. The FBI arguably did as much damage as LulzSec did through their use of Sabu, having him hack and decimate the private intelligence company Stratfor, release the personal information for officers of the Arizona State Police along with an exhortation on Twitter for people to take actions against them, and instructing Sabu to facilitate the hacking of a long list of foreign government websites. For these acts of criminal hacking on behalf of the FBI Sabu was un-ironically praised at his sentencing by Judge Loretta Preska and sentenced to time-served, meaning he was given no prison time at all. And of course, no one in the U.S. Attorney's Office took any action against the FBI, because what is criminal for others is all in a days work for them.
The treatment of convicted hackers in the U.S. is in need of reform. Rather than seeking to destroy hackers through draconian sentences and treatment disproportionate to the actual harm done, the U.S. should follow the U.K. and Ireland's approach in meting out punishment proportionate to the actual harm done. But the current paranoid zeal of the U.S. DOJ when it comes to hackers leaves little hope that this will happen anytime soon.