The Computer Fraud and Abuse Act, or CFAA

We Should All Step Back from Security Journalism

I’ll Go First

I started studying the computer underground back when I worked in tech, as an early web developer, in the mid 1990s. I found the world fascinating, and I interviewed people and wrote about it, initially for myself. I never participated much. At first this was because I didn’t have much to contribute, but in time I came to understand that I wanted to remain on the disinterested side of law enforcement. This was not only because of what it meant for my own long-term prospects, but because it would let me build more understanding of the culture I was studying, and ultimately let me share what I learned of that culture with more people.

As the internet escaped its counter-culture and specialist roots, I have been able to speak to a much wider audience than I could have dared to hope for back in 1995. The internet went from being my world to being nearly everyone’s world in the historical flash of two decades. As for me, I left the tech industry and began to write about how that industry was changing the world full time, including tech’s often hunted underground. I was speaking to a wider audience than were on the net at all when I started.

According to this Texas prosecutor, and many more law enforcement agents, once someone grabs this data cache and examines it, passes it along to expert eyes, or to a journalist, they are committing crimes for which they may be ripped from their home, job, family, and the future they expected to have. They may be incarcerated for doing their job.

Goodbye, For Now

It’s entirely possible these decisions, even in Brown’s case, can be interpreted in ways that don’t significantly threaten journalism and security. But right now we are protected by a political mood at best, and not the law of the land. Right now the legal system sees us all as criminals-in-waiting, able to be taken down when the political mood changes. It should be made clear, in law, that the tasks security reseachers do to make the net more secure and journalists do to understand and contextualize the truth for the public are not crimes.

Journalism is hampered by this lack of clarity. Right now it may seem like a narrow range of journalism and research is affected, but as the Sony hack aftermath has shown, as the internet becomes the world, internet issues just become everyone’s issues.

If journalists and security professionals can’t do their jobs, even when you may not like what they’re telling you, we all live in a more dangerous world.

This decision by one court in Texas undoubtedly doesn’t have as much power as a normal conviction, and it doesn’t yet reach beyond the 5th circuit, but after 14 years of an ever-tightening noose on security, journalism, and even normal internet life, it is past time for Congress and the people who inform and protect our polity to come together and fix this ever widening gap between law and reality. In the meantime, I can’t do my job and be assured that I won’t be ripped away from my family, which means I can’t do my job.

I hope that other journalists and security professionals join me in protecting themselves by stepping back, and calling for legislative clarity. And as that hampers American security and journalism, I hope that our colleagues overseas can step in and fill the gaps.

And to all the hackers, geeks, weirdos, coders, sysadmins, network junkies, students, professors, and enthusiasts, thank you for a fantastic 20 years. I hope to rejoin this great story of human history when the law protects me and my colleagues in journalism.

— Quinncc