A hacker who uncovered evidence that two men who sexually assaulted and photographed an unconscious 16-year-old girl in Steubenville, Ohio, two years ago could spend more than a decade longer in jail than the rapists he helped expose and convict, thanks to an outdated cybersecurity law.
Deric Lostutter, 29, could spend a maximum of 16 years behind bars for his alleged role in a hack of a high school football fan website that led to the discovery of tweets and Instagram photos documenting the 2012 sexual assault of a young girl at a party. Ma’lik Richmond and Trent Mays were both convicted, and were sentenced to one and two years in prison, respectively. They’ve both since been released, and as Jack Smith IV noted in a gripping story for Mic, this all seems a little wrong.
If you’re wondering what law makes allegedly assisting in the hack of a fan website eight times worse than rape in the eyes of the government, Lostutter’s lawyer, Tor Ekeland, has an answer: A 1986 cybercrime law called the Computer Fraud and Abuse Act, or CFAA.
Ekeland is one of the leading legal crusaders against the CFAA. He notably defended the hacker weev in the AT&T iPad email address leak, and has played a part in other high-profile cases involving the CFAA’s definition of hacking — or lack thereof.
The law prohibits unauthorized access to a computer or unauthorized destruction. Exactly what this means is a lot less clear in today’s digital world than it was during the Reagan administration. “Unauthorized access” pretty much means whatever a jurisdiction wants it to mean.
“A lot of people lie about their age on Facebook or dating websites. People routinely violate terms of service agreements,” Ekeland tells Inverse. If you’re in a jurisdiction that considers violating a terms of service agreement to be unauthorized access, “you’re potentially liable there for a federal felony,” he said.
“It gives prosecutors a really, really powerful tool for punishing people who really haven’t done much much or did the equivalent of spray-painting the front of a building,” Ekeland said.
Lostutter, a Kentucky resident and member of the hacker group Anonymous, allegedly encouraged fellow hacker Noah McHugh to break into the Steubenville football fan site RollRedRoll.com and discover — allegedly together — information that allowed them to identify the rapists, and publicize their identities and the school’s attempt to cover up the assault. McHugh plead guilty to hacking the site. Lostutter pled not guilty.
Lostutter could not speak to Inverse about the case due to a recent legal development, but Ekeland explained why he believed the federal criminal case against his client under the CFAA was overzealous.
“In this case, if what is alleged is true, what’s the real harm?” Ekeland asked. “They’re alleging some kind of libel or invasion of privacy? Sue civilly for that. Jail time? Felony jail time? On this? I think it’s a little over the top, particularly given that the rapists got two years.”
Mays was sentenced to two years rather than one because he distributed pictures of the underage victim, making it child pornography. Ekeland noted that federal sentencing minimums for the production of child pornography are much more severe, but the feds apparently didn’t pursue those charges.
“I think this is a very curious exercise in prosecutorial discretion,” he says.
When asked what message he thought the government was sending, given the discrepancy between the two charges, Ekeland said he thought it was a poltical reaction motivated in part by fear. “Anything having to do with Anonymous scares the United States government,” he said, adding that the government is trying to send a message that they’re protecting the public from “Anonymous terrorists.”
Beyond that, Ekeland said the government is engaging in “a digital war, so to speak, about who gets to control information.”
He noted that while there are hundreds of civil CFAA cases between companies, there are never criminal CFAA persecutions against them. “I think that reflects a certain ideology that we’re interested in protecting criminal corporations from criminal liability even though they’re doing things far worse than anything an individual would do,” Ekeland said.
“You’re not going to punish your way to a more secure internet,” he concluded. “I think thats a foolish notion.”
Lostutter’s trial begins on November 8. Having dealt with the harsh nature of the CFAA before, Ekeland’s attitude is dogged but realistic.
“You’ve got to realize most criminal trials end up in a guilty verdict,” Ekeland said. “Quite often the point of my job is I’m a triage surgeon in a combat zone. But we’ll see.”