Middle School Hacker Case Impacts CFAA Reform Debate

Note: this article was previously posted on Norse’s DarkMatters.

A Florida middle school student’s prank — with a computer —  resulted in his being arrested and charged with felony “hacking.” His crime? He used teacher’s password to login and change the desktop background on the computer.

Given all of the rancor that was stirred up a few years ago over the prosecution of Aaron Swartz under theComputer Fraud and Abuse Act (CFAA), the question is, how will this case will impact the ongoing debate about reforming the CFAA?

How the Eighth-Grader “Hacked” the School Computer

The publicly available facts of the case are limited but straightforward. Domanik Green, a 14 year old eighth-grade student at Paul R. Smith Middle School in Holiday, Florida logged onto a school computer with a teacher’s administrative password and changed the desktop background to a picture of two men kissing.

According to a recent article, Green admitted to the allegations. He initially logged into one computer that had encrypted FCAT questions stored on it but, realizing it did not have a camera, he continued to another: “So I logged out of that computer and logged into a different one and I logged into a teacher’s computer who I didn’t like and tried putting inappropriate pictures onto his computer to annoy him.”

This was not Green’s first time to be in trouble for inappropriately accessing the school’s computers. Previously, he was suspended for three days for an inappropriate access, and other students got in trouble along with him.

According to Green, what he did was a well-known trick among the students who also regularly used the administrative password to screen-share with their friends as well as to use the computers’ cameras to see each other.

They were able to do this because they knew the password and it was easy to remember. The password was a teacher’s last name. The students learned it by watching the teacher type the password into the computer. According to the school district, it is now in the process of changing the network password.

Some Common Sense Questions that Should be Asked

If you are looking for a reason to scratch your head, this case gives you plenty. Common Sense 101 makes you wonder about some really basic things, assuming that Green’s statements are correct:

  • Why was the password the teacher’s last name?
  • Did the district have a password policy and, if so, did this conform with it?
  • Why would the teacher type in the password where the students could watch?
  • How many computers could be logged into this administrative account at one time?
  • If this had been done before — indeed, if it was a common trick — why was the password not changed sooner?
  • Were the teachers aware that the students were doing these things by logging in with the administrative password?
  • If the teachers were aware that the students were doing this, were they assenting to it?
  • If the teachers were not aware that the students were doing this, why not?

On a higher level, we must also ask the fundamental fairness question of whether the punishment fit the crime. Considering the fact that the only harm done was the changing of a computer desktop background, this boy’s being charged with felony computer hacking for accessing a computer that he (apparently) was authorized to use, albeit via a different account, when the credentials to that forbidden account were readily available, does not seem to pass this fundamental fairness question.

The boy’s mother is not making excuses for her son’s conduct and agreed that what he did was wrong. However, she also wonders why it was so easy for students to access the system. For most of us with an honest recollection of our own teenage years, she has a valid point.

It is not like a reasonable person could not foresee that teens in middle-school are going to play childish pranks and, if there is a computer available, use the computer to do so. As the father of an eighth-grader myself, I have no doubt.

This begs the question of whether, if the school is going to seek to enforce the unauthorized access of its computers by its students, what responsibility does the school have to reasonably limit their ability to do so?

The Problem with Cybercrime Laws

A couple of years ago we saw similar questions being raised about the Computer Fraud and Abuse Act arising from the prosecution of Aaron Swartz for using his authorized access to the MIT computer system to attempt to download and disseminate proprietary information in a way that was prohibited.

Swartz committed suicide as a result of his prosecution and a tremendous public debate ensued over, among other things, the fairness of the CFAA in general and, more specifically, the need for prosecutorial discretion in enforcing such laws.

One of the issues raised in that debate was whether the CFAA, which is a federal law, is too broad and should be limited so that many of the computer crime cases could be pursued under the computer crime laws of the individual states.

The argument on this point was that many of the cases that were being charged by the federal prosecutors under the CFAA did not justify being charged as a federal crime, and were more appropriately left to the local local authorities in the states, to charge under the individual states’ computer crime laws.

While I have not seen the indictment of Domanik Green and do not know for certain what laws he was charged under, there are two hints indicating that he was charged under the Florida computer crimes law, not the Computer Fraud and Abuse Act.

First, the local news article reports that the Pasco County Sheriff’s Office is who charged Green, which indicates he was charged under the state law, not the federal. Second, the article states Green was charged “with an offense against a computer system and unauthorized access, a felony,” all of which more accurately describe the language of the Florida law rather than the CFAA.

This is an important point. I am sure that many people who only read the headlines about this case assumed that this is just one more example of why the CFAA has been so vilified and needs to be reformed, thinking this is a prosecution under the CFAA.

From what I can tell, however, this is not a CFAA case but, instead, a case charged under Florida law. Because of that, there are three important takeaway to remember when discussing reforming any computer crime law, especially the CFAA.

First, it is very difficult to draft a computer crime law in a way that prohibits the type of conduct that most agree needs to be prohibited yet is narrow enough to not unfairly punish conduct that is not deserving of such punishment.

Second, as evidenced by this case, computer crime laws encompass a very wide range of intentions, conduct, and resulting harm. Some cases are relatively minor, some catastrophic, and many are in between.

Because of this, the laws must have enough flexibility in both application and punishment so that the authorities are able to do their jobs in enforcing the laws while still ensuring that the punishment fits the crime.

Prosecutorial discretion is helpful in this regard, however, that is no substitute for properly crafted laws which better ensures that those laws can be applied equally to all, without relying on subjective discretion.

Third, this shows that the argument that most computer crimes cases should not be charged under the CFAA but, instead, charged under the state law equivalent, is not the magic bullet to resolve the issue over the unfairness of prosecuting some cases under these laws. In fact, in this particular case, it seems as though the Florida law is more harsh than the CFAA.

The Florida law at issue is under Chapter 815 – Computer Related Crimes of the Florida Statutes and titled statute 815.06 Offenses against users of computers, computer systems, computer networks, and electronic devices.

In summary, Section 815.06(2)(a) of this law states that “s person commits an offense against . . . computer systems . . . if he or she willfully, knowingly, and without authorization: Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized.”

Subsection (3)(a) provides that “a person who violates [subsection (2)(a)] commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084,” and escalates in degrees of felonies based upon the damage or loss caused.

Under the Florida law, any unauthorized access case that is charged is at least a felony of the third degree. That is not the situation under the CFAA which makes some lower-level offenses a misdemeanor.

I have generally been a strong supporter of computer crime laws and I still am. However, cases like this demonstrate why we must never stop seeking the truth and striving for the right balance in our computer crime laws.

Consider, for a moment, the impact of this charge on this 14 year old eighth-grader’s future life. What he did was wrong and he deserves some form of punishment. However, what he did was also a childish prank. A

prank that, rightly or wrongly, could be anticipated of a middle-schooler, was enabled by extremely poor security practices by the “victim,” and resulted in virtually no harm to anyone.

Under these circumstances, a felony charge is a very harsh punishment and requires a certain level of prosecutorial discretion be exercised by the local district attorneys before deciding to move forward with prosecuting this case.

But, it should not have to be left up to the prosecutor. The punishment component of this law should be changed.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s