/ Trevor Timm / 9 am Mon, Jan 26 2015
  • Submit
  • About Us
  • Contact Us
  • Advertise here
  • Forums
  • Barrett Brown’s sentence is unjust, but it may become the norm for journalists

    Barrett Brown’s sentence is unjust, but it may become the norm for journalists

    Jailed, in part, because he shared a link to a stolen document that he did not steal, and despite the fact that this is not a crime. Investigative journalist Barrett Brown was sentenced to an obscene 63 months in prison on Thursday, in part for sharing a hyperlink to a stolen document that he did not steal, and despite the fact that he was not guilty of a crime for linking to it.

    Maybe journalists think this is an anomaly, and some will ignore his case entirely since Brown also pled guilty to other charges that led to part of his sentence too. But be warned: if the White House passes its dramatic expansion of US computer law, journalists will constantly be under similar threat and reporting on hacked documents could become a crime.

    How is this possible, you ask? Well, first it’s important to understand the details of Brown’s case.

    The curious case of Barrett Brown

    Brown—a longtime journalist and activist has written for Vanity Fair, the Onion, and the Guardian—has been the subject of a controversial government witchhunt for more than two years now, stemming from his association with members of the hacker collective Anonymous and his own journalism website known as “Project PM,” which investigated shadowy intelligence contractors like Booz Allen (long before Edward Snowden made them a household name).

    The FBI relentlessly pursued Brown for his relationship with source and hacker Jeremy Hammond, who last year pled guilty to hacking into Stratfor, the intelligence contractor whose emails were the subject of that notorious link. It’s important to note: the FBI never accused Brown of hacking. (For more on this, read Anonymous expert Biella Coleman in Slate: “Barrett Brown isn’t a hacker, but he’s being punished like one.”)

    However, the FBI would eventually charge Brown with obstruction of justice and threatening an FBI agent that stemmed from his reaction to their hacking investigation, and also included a charge of “trafficking” in stolen information for merely sharing a hyperlink with his collaborators on Project PM.

    The hyperlink, which Brown just copied from an Anonymous chatroom into a private Project PM chatroom, led to a trove of the Statfor documents, some which contained newsworthy information, and some which also contained private credentials. In other words, it’s the type of link journalists share between each other and on Twitter all the time.

    After Brown’s lawyers wrote a blistering legal brief accusing the Justice Department of violating the First Amendment, the government swiftly drop the linking indictment, but Brown eventually had to plead guilty to three lesser charges (including threatening an FBI agent, which Brown freely admitted in court was wrong and stupid).

    But you’d think that would be the end of trying to punish him for linking. But at the sentencing hearing on Thursday, the Justice Department again brought the hyperlink up, arguing that even though Brown was NOT charged for the linking to a public document, he should still be punished more for his other crimes because it is “relevant conduct.”

    So instead of being sentenced for just his crimes, Brown—as explained in detail here by his defense attorney Marlo Cadeddu—got at least a year more in jail because the judge accepted the argument sharing a hyperlink—his First Amendment right, mind you—should factor into a longer sentence.

    This ruling puts journalists in the position of either not talking to hackers/foreigners or printing what they say w/o checking their facts.

    — Quinn Norton (@quinnnorton) January 22, 2015

    This should be worrying for all journalists, that reporting on controversial topics can be used against you when being sentenced for other, unrelated crimes. As longtime security journalist Quinn Norton wrote after Brown’s sentence, “I can’t look at the specific data another journalist has, and I can’t pass it along to a security expert, without feeling like there’s risk to the journalists I work with, the security experts, and myself.”

    But it’s could get far worse than that soon.

    The White House’s plan to make sharing certain links a crime

    Part of the reason the Justice Department likely dropped the linking charge against Brown to begin with, besides the obvious press freedom concerns, was because he had no intent to defraud. In fact, he repeatedly stated he did not want to use or publish the credit card numbers found in the documents, only the newsworthy information.

    But the White House recently issued a proposal for radically expanding the Computer Fraud and Abuse Act CFAA, which would make it much easier for journalists to be charged for linking to hacked documents containing passwords—regardless of intent.

    The trouble comes in a section where the White House removes the phrase  “with the intent to defraud” from the section criminalizing “trafficking” in passwords. So instead of sharing passwords for the purpose of committing fraud, you know merely have to share them purposefully with the knowledge they may be used by others.

    So stories derived from document dumps like the Sony hacks, where passwords are intermixed with a ton of other newsworthy documents (and where the passwords were was a newsworthy story in itself), become a lot riskier for news organizations to report. Merely sharing a link between reporter and editor may be a criminal act.

    Or what about stories that are about passwords? At the end of every year, stories inevitably pop up about the “most common passwords,” which are quite popular with readers, but are also are generated through analyzing passwords that were stolen and then posted online.

    These stories are often framed as amusing, but actually should be helpful to readers in explaining why they should be better protecting their security by not using the same, easily guessable password for various websites. Under the White House’s proposal, the journalists producing these stories might be committing a crime.

    Right now, though, it’s only Brown that has to suffer the injustice of being sentenced to a longer jail sentence for committing journalism. Thankfully, as the witty writer that he is—read his jailhouse review of Henry Kissinger’s recent book, it’s hilarious—Brown’s response to his sentence was in much more good spirits than his supporters:

    Good news! — The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex. For the next 35 months, I’ll be provided with free food, clothes, and housing as I seek to expose wrongdoing by Bureau of Prisons officials and staff and otherwise report on news and culture in the world’s greatest prison system. I want to thank the Department of Justice for having put so much time and energy into advocating on my behalf; rather than holding a grudge against me for the two years of work I put into in bringing attention to a DOJ-linked campaign to harass and discredit journalists like Glenn Greenwald, the agency instead labored tirelessly to ensure that I received this very prestigious assignment. — Wish me luck!”


    / / /

    Notable Replies

    1. Share it with your editor, not on pastebin.

    2. It is exactly the job of a functioning justice system to make that distinction.

    3. I don't buy into the "He really did real things wrong so he deserved this." He admitted in court that threatening an FBI agent was a stupid mistake, but I don't know the situation under which he threatened that agent. The government hounded Aaron Swartz to suicide, I don't think it's a stretch for them to hound Barrett Brown into irrational behaviour. So you can say, "Hey, it's his fault, he shouldn't have done that," and just keep repeating that every time a journalist goes to jail or someone is killed by a police officer someone if that's what you want to do. Enjoy your police state.

    4. Yup. We're stepping right into line with other regimes cracking down on journalism. The government's endgame is for us to wind up like China.

      That said, he did do things that I think they should have punished him for, likely including throwing him in jail. The fact that the things they actually threw him in jail for are not those things represents incredible abuse of prosecutorial power, and I would far rather have him escape punishment than have the government be able to abuse its power like that.

      I think threatening people with violence, including on the internet, should be punished much more severely than it is. I would totally support them throwing him in jail for threatening that FBI agent, if they were similarly diligent about tracking down all the folks who have been sending death threats to eg Anita Sarkeezian, and throwing all of them in jail for a similar amount of time. Unfortunately, that's not what they threw him in jail for. They threw him in jail for putting up a link to data that other people took, and yet other people hosted. That precedent could easily lead to similar punishments for people linking to the Snowden documents, or anything on Wikileaks.

    5. Exactly what difference do you think using end to end crypto would have made to the facts on the ground here?

      We are talking about a database that has just been dumped in the wild by a celebrity hacker group. The thing is public.

      Meanwhile, off to the side, a tiny investigative journalist association, wishing to investigate the material to see if it contains newsworthy information, shares a link to the (already massively public) material on a private IRC chatroom.

      You now say you feel this was unethical because Brown didn't use end to end crypto.

      Your threat model here is what exactly? Let's presume SSL was not in use on this IRC server, which is not a foregone conclusion. So your threat model is... that identity thefts subvening on the hacked data might eventuate from an adversary performing a MITM attack on Barrett Brown's connection to the IRC server in order to intercept... an already publicly available link to a database that has been posted somewhere else in the clear? Really?

      At a more general level, I agree with the principle that journalists should use best security practice in their online communications. All of their communications, whether "sensitive" or not.

      But information security involves relative judgments of risk where you evaluate the cost of security measures against the risk and severity of threats. Journalists with limited time and resources should probably allocate those resources to high risk situations, where failure to employ information security potentiates serious consequences. Actual situations where they are handling actually sensitive information. Leaving aside that there is no actual harm alleged arising from BB sharing this link, what is the potential harm arising from Brown's alleged neglect here; what is its scope, it's severity and its likelihood?

      There is a miniscule risk of harm, because he was sharing a link in a private IRC populated only by investigative journalists with whom he was familiar, for the purposes of researching the new information. The data was already public, the link was already public. Anyone who wanted to obtain the link or the data could do it without the exorbitant cost in time and effort involved in intercepting packets between Barrett Brown's irc client and the ProjectPM server. And lest we forget, we are not talking about BB sending people's CC information, he was sending a link to a file hosted on someone else's server, published by someone else, of which some tiny proportion was sensitive information. So our hypothetical attacker would, upon intercepting the link, have to go and dig through the data like everyone else in order to sate his malice. The risks here are exceedingly negligible. Employing a form of end to end crypto, whether it's otr, pgp or some hyperobscure doodad using the btc blockchain and working over geological epochs, makes a negligible difference to those already infinitesimal likelihoods.

      As I say, journalists in general should ideally use crypto for everything. But failing that, infosec is about dealing with what is probable and mitigating risks, not about creating work environments hermetically sealed against the most outlandish risks our imaginations can come up with, and I see more of an ethical problem with journalists failing to use crypto when there is a reason to use it, than with journalists failing to use crypto when there is no real reason at all to use it short of pedantry.

    Continue the discussion bbs.boingboing.net

    61 more replies