The Trump administration's decision to charge Julian Assange with 17 counts of violating the Espionage Act has generated significant controversy. One legal expert described it as "crossing a "constitutional Rubicon." CPJ warned that the indictment could be the opening salvo in a broader attack on First Amendment journalistic protections. The 18th charge against Assange--of violating the Computer Fraud and Abuse Act (CFAA)--has garnered far less attention. Yet technology journalists and legal experts interviewed by CPJ since the charge was first publicized in April shared significant concerns about the law, and their growing fear that it could be used to implicate journalists in the criminal activities of their sources.
Prosecutors argue that Assange conspired with U.S. Army private Chelsea Manning to access information on U.S. government computers that would later become the source material for investigations by The New York Times and the Guardian, among other news outlets. The single count of conspiracy to commit computer intrusion, dated March 2018 and unsealed more than a year later, was included in the latest, superseding indictment.
The Electronic Frontier Foundation (EFF), a leading digital civil liberties group, describes the CFAA as an "outdated" law from 1986, when about 2,000 computers were online. It is a crime under the law to access a computer "without authorization," or by "exceeding authorized access," but what that means has been subject to dispute, allowing prosecutors to broaden the law's application, according to the EFF.
"The thing the CFAA and Espionage Act have in common is criminalizing regular processes of journalism," Quinn Norton told CPJ. Norton documented hackers leaking credit card numbers online and other security breaches for several U.S. news outlets before taking a step back from technology reporting in 2015, citing possible exposure to CFAA charges as a result of her work.
According to the indictment, Assange "agreed to assist" Manning in "cracking" a password in an online conversation in 2010, making it "more difficult" to identify her as the source of the leak. The indictment does not accuse Assange of cracking the password, but says it was "part of the conspiracy," that he "encouraged" Manning to leak information, and collaborated with her using an "online chat service."
"The Assange indictment raises concerns that when a source provides digital information to a reporter that they were not authorized to release, prosecutors will look for anything that can be presented as 'assistance' to that source as a basis for prosecuting or threatening reporters as co-conspirators under the CFAA," Cindy Cohn, the executive director of the Electronic Frontier Foundation, told CPJ.
Journalists interviewed by CPJ each said that they would not crack a password or help a source hack into a computer or a network. "Based on my reading of the indictment, Assange was encouraging the leak of classified data--which you just can't do," Zack Whittaker, the security editor of TechCrunch, told CPJ.
Indeed, the government may lean on the charge to differentiate Assange's actions from the protected activities of reporting and publishing, Jameel Jaffer, the executive director of the Knight First Amendment Institute at Columbia University, told CPJ. "My guess is that the Justice Department will try to address First Amendment concerns by emphasizing that Assange agreed to try to crack a password for Manning," Jaffer told CPJ. "It will argue that Assange's agreement to crack a password sets his case apart from cases that involve journalism as conventionally understood."
But the CFAA charge itself gave some journalists pause. "Assange went further than journalists go--but not that much further," said Kevin Poulsen, a technology reporter at The Daily Beast who helped develop SecureDrop software for whistleblowers to submit documents to journalists. One question the indictment raised, Poulsen told CPJ, was under what circumstances prosecutors might accuse journalists who regularly talk to hackers of conspiracy to violate the CFAA. If one of his sources hinted at plans to hack into a network, Poulsen wondered, might some future prosecutor use the conversation to accuse him of passive complicity in the hack? Was he required to dissuade the hacker from breaking the law? "It's going to be on my mind during conversations with sources," he said.
Other journalists also expressed concern that their conversations with sources could end up in court. "Part of my tremendous worry about this indictment is that federal prosecutors are going to parse conversation between sources and journalists closely, looking for narrow violations of the law," said Ryan Tate, the technology editor at The Intercept.
Journalists are permitted to report on or publish information that was obtained illegally by a third party and is a matter of public concern, according to Michael Rothberg, a lawyer in Bethesda, Maryland who advised journalists investigating tax evasion based on the anonymous leak of legal documents known as the Panama Papers. Rothberg told CPJ he pointed those journalists to the landmark 2001 case Bartnicki v. Vopper, in which the Supreme Court found that a radio station was within the law when it broadcast an illegally intercepted conversation received from a source because it had not participated in the unlawful recording.
But Rothberg told CPJ that such legal protection is potentially jeopardized if a journalist engages in communications with the source that authorities construe as participating in unlawful conduct. "One stray comment could land you in hot water," he said.
"At some point it becomes a question of, what is help, what is an offer?" Lorenzo Franceschi-Bicchierai, a reporter with Motherboard, the technology outlet hosted by Vice, told CPJ. "Is this conversation with a hacker going to be construed as a conspiracy?"
Journalists need to communicate with hackers in order to test their claims, according to Andy Greenberg, Wired writer and author of This Machine Kills Secrets, a history of digital leaks. "I say, 'Well, can you prove it by doing this, or showing this data?'" he said, describing what such interactions typically look like. "And then I think: Wait, did I just conspire with you to hack something?"
If a hacker publishes emails or other data they claim to have taken from a company, asking them for details is one of a "patchwork of different techniques" a 2016 Motherboard guide recommends reporters use to verify its authenticity. Verification is "vital," the guide says, since companies may deny being hacked, leaving victims reliant on media reports. Other techniques from the guide include trying to create an account with the same company using an email from the leak to reveal if the owner of the email already has one.
Because the CFAA has been interpreted expansively, prosecutors could describe such techniques as accessing, or conspiring to access, a system without authorization, Tor Ekeland, a lawyer who specializes in the CFAA, told CPJ. "It's very easy to bring a conspiracy charge under CFAA," he said.
All sorts of online activities that did not exist when the law was formulated are now considered to fall within its scope, according to Ekeland. In 2018, for example, the Knight First Amendment Institute asked Facebook to allow journalists to automate collection of information from public Facebook pages and create pseudonymous accounts for reporting; Facebook has instructed journalists to discontinue investigations, because these methods violate its terms of service. Since terms of service are one way for a company to authorize access, some courts have found that violations of those terms should be subject to civil penalties under the CFAA, according to the EFF. The threat of civil lawsuits under the CFAA "deters journalists and researchers" from using publicly available data on Facebook, according to the Reporters Committee for Freedom of the Press.
Jay Ward Brown, a media lawyer at the firm Ballard Spahr, advises journalists concerned about avoiding CFAA violations about once a week, he told CPJ. Reporters and their lawyers are "spending a lot of energy running through hypotheticals," he said.
And the Assange indictment is not the first time the government has characterized a journalist's online action in criminal terms in court. Back in 2015, Quinn Norton testified during the trial of Barrett Brown, a journalist prosecuted by the U.S. government for a range of offenses, some of which stemmed from reporting on an online data leak. "It was clear that the prosecution considers what I do to check my stories criminal," she wrote at the time. CPJ noted in 2013 that the Brown "could criminalize the routine journalistic practice of linking to documents publicly available on the internet." Though Brown was convicted on other charges, the government argued at his sentencing that he was "trafficking" stolen information when he "made accessible the data to other people by providing the data link," according to a hearing transcript; the judge extended his total prison time by about a year using a sentencing enhancement for trafficking, his lawyer told a journalist at the time.
In the Assange indictment, Norton sees the government doubling down, she told CPJ this month. "CFAA charges represent a way to harass journalists away from covering a lot of potential stories," she said. The charge against Assange, she said, is "sending a message" to technology reporters. "It's like installing censors in our heads."