Feds admit error in hacking conviction
Federal prosecutors ask an appeals court to reverse a computer-crime conviction that punished a California man for notifying a company's customers of a flaw in its e-mail service.
Filed on Tuesday in San Francisco's Ninth District Court of Appeals, the unusual request conceded that federal prosecutors in Los Angeles erred in bringing a criminal case against, and obtaining the conviction of, 30-year-old Bret McDanel. The one-time system administrator has already served his 16-month sentence and is currently on supervised release, during which time his access to computers is curtailed.
The conviction stems from an incident in September 2000, when McDanel notified the customers of his former employer--Tornado Development, which has since closed its doors--that the company's Web-based e-mail system had a flaw that could allow an attacker to gain access to a user's e-mail. The prosecutors successfully argued that that act--and the 5,600 e-mails sent to customers--had essentially damaged Tornado's system.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
Now, following an appeal by Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society, the U.S. attorney's office for the Central District of California admits that the arguments should not have prevailed.
"The government concedes that the evidence did not establish an intent to 'damage' within the meaning of the statute (Computer Fraud and Abuse Act), and requests that this Court reverse the defendant's conviction," Ronald Cheng, assistant U.S. attorney for the Central District of California, stated in the filing.
If the court agrees to overturn the conviction, it will remove a precedent that could have squelched the research of many security experts. The original conviction by U.S. District Judge Lourdes G. Baird determined that, by revealing a flaw in a system's security, a researcher could be accused of harming the system, a violation of computer crime laws. Cheng's statement acknowledges that such a reading should not be valid.
The government had argued that McDanel, who had used the handle "Secret Squirrel" online, had maliciously sent thousands of e-mails that overloaded Tornado's servers, revealing confidential information about the security of the system. Granick, McDanel's attorney, attacked that characterization, arguing that many missteps had been made in the case. Granick found fault not only with the prosecutors' arguments, but also with McDanel's original defense attorney and the criminal court's actions.
Rather than a criminal hacker bent on revenge, McDanel was an employee who voluntarily left Tornado to join another company, partially because the now-defunct company wouldn't deal with a security problem that he had flagged, Granick argued in the appeals-court filing. More than half a year after he left the company, McDanel used his valid account on the system to send a mass mailing to the company's customers, warning them of the flaw, she argued.
"This prosecution rode on the government's contention that McDanel was a 'hacker' with a criminal mind and a bone to pick against his former employer," Granick stated. "That bone was Tornado's refusal to fix identified security problems, and McDanel dealt with it by telling customers so that they could help themselves. This is not a crime."
The flaw highlighted by McDanel couldn't be considered confidential, because most security experts could easily spot it, Granick argued. A critical identifier that could allow access to a user's account was sent as part of the Web address in a browser, according to court documents. McDanel warned that a user that left the Tornado e-mail system to go to another Web site would be giving the other site the "keys" to the user's online mailbox.
Granick pointed out that the technical issues of the case couldn't be sufficiently explored because McDanel was not allowed an expert witness to refute Tornado's testimony. For example, a witness who would have testified that 5,600 e-mail messages wouldn't have an appreciable effect on any capable mail server was essentially silenced by a technicality and was only allowed to provide technical definitions. Moreover, the original defense attorney failed to give McDanel an opportunity to testify on his own behalf, Granick stated in the appeals-court filing.
Thom Mrozek, a spokesman for the U.S. attorney's office for the Central District of California said that prosecutors rarely ask for a reversal. "It's pretty damn rare," he said. "I have never seen it happen."
McDanel refused to comment for the story, and his attorney, Granick, couldn't be reached for comment. Jeff Scheinrock, the former CEO of Tornado Development, also did not immediately return calls.