The week of August 9, 2015

It’s time for police to end their dangerous misunderstanding of technology

By Gillian Branstetter

Here’s a fun prank to play on a friend the next time they leave their computer unattended. Take a screenshot of their desktop and make it their default background. Right-click (on a PC), go to “View,” then unselect “Show Desktop Icons.” Pull the taskbar below the screen, leaving a useless image of your friend’s desktop. Watch as they click furiously trying to figure out what’s gone wrong, laughing the quiet, stunted giggle of a low-level prankster.

Beware, however, because changing the background on a computer that isn’t yours could qualify you for felony hacking charges. That’s according to the Florida sheriff’s office, which has charged a middle school student with unlawful access to a network, a charge that could give 14-year-old Pasco County resident Domanik Green 10 to 20 years in prison. Green changed the desktop wallpaper of a teacher he found “annoying” to a picture of two men kissing. (Apparently, the password was the teacher’s last name.)

The computer, however, held encrypted standardized testing data. Despite the fact that authorities state Green never accessed the sensitive information, one of officers on Green’s case warned: “Who knows what this teenager might have done?” While the charges against Green are rather overwrought, stories like these serve to exemplify the massive gap between law enforcement and the technology they’re supposed to be monitoring. From local police in Florida to the Supreme Court, judicial officials have proven themselves to be woefully undereducated on technology.

Domanik Green’s case is atrocious on a number of levels. First, the school and law enforcement are effectively blaming the student for his school’s weak security standards. Green said many students knew the password and would use the administrative login to talk across the school’s webcams. Plus, using your last name as a password to protect the computer from a room full of teenagers who exclusively call you by your last name is the height of lazy cybersecurity. Second, Green is facing felony charges seemingly based on the hypothetical idea that he was after standardized testing information. The insistence of the sheriff’s office on “what this teenager might have done” is irrelevant, as it does not qualify as a crime—you can’t arrest people for having the chance to do something illegal and not taking it. Juvenile files in Pasco County, Florida, are sealed, even for felony cases, so the county clerk’s office was unable to provide an update on Green’s case.

From local police in Florida to the Supreme Court, judicial officials have proven themselves to be woefully undereducated on technology.

It’s this sort of broad application that has earned the Computer Fraud and Abuse Act—the federal law Green is being charged under—so much criticism from security professionals. Adopted in 1984, the law is bloated and outdated, allowing prosecutors to call for decades-long prison sentences for actions as small as participating in a distributed denial-of-service (DDoS) attack or discussing a hack in an IRC. Reddit co-founder Aaron Swartz faced up to 35 years in prison for downloading JSTOR documents from MIT’s network, and confronted with the potential of such a steep sentence, Swartz later took his own life.

As Slate’s Justin Peters points out, the CFAA originally applied to very few computers—those involved in “interstate” commerce. When the law was passed, that mostly meant computers involved in governmental or financial affairs. The scenario presented to lawmakers was less Green’s harmless prank and more concerned with secure military networks like ARPANET, an early forerunner of the Internet. Now that most computers have Web access—meaning everything from your smartphone to your toaster is susceptible to the CFAA—prosecutors and police are armed with a powerful law meant to take down top-level hackers and apply it wherever they like, even in the case of a schoolyard prank.

Such vague laws are especially dangerous in the hands of a judicial branch woefully undereducated in technological matters, as Domanik Green is finding out now. Judges at all levels of government continually embarrass themselves through ham-fisted attempts at rulings on technology, often with disastrous results. When Google was sued for supposedly wiretapping people’s Wi-Fi connections through its Street View cars, a judge declared Wi-Fi to not be a form of radio communication and therefore susceptible to federal wiretap regulations. Except Wi-Fi is a radio communication and the networks Google accessed were unprotected by passwords.

Vague laws are especially dangerous in the hands of a judicial branch woefully undereducated in technological matters.

The Supreme Court has been especially criticized for its own lack of expertise on technology, an especially worrisome problem considering potential rulings on cybersecurity, privacy, and mass surveillance by the federal government. Justice Elena Kagan raised more than a few eyebrows when she revealed her colleagues don’t go online often and don’t even use email. The Supreme Court—the same body must decide what the National Security Agency can and cannot look at without a warrant—is still typewriting memos on paper and having aides carry them from office to office.

It is true that one does not have to be a daily user of such newfangled technology to understand how the law applies to it. The Supreme Court was rightfully lauded last year for its ruling against warrantless searches of cellphones by police, in which Chief Justice John Roberts declared cellphones to carry more private data than even a household. “A phone not only contains in digital form many sensitive records previously found in the home,” wrote Roberts, “it also contains a broad array of private information never found in a home in any form.”

But the question remains whether courts and police can keep up with technology as it changes—and as more generations grow up with it. To Domanik Green and his friends, accessing their teacher’s login was so easy it likely felt like nothing but the simple joke it was meant to be. To an undereducated police force and naive school faculty, they likely looked like highly trained hackers capable of anything. While Green was using an administrative login without permission, anyone who understands what he did could never justly throw him in prison for it.

As technology increasingly dominates so much of our lives, properly educated law enforcement has never been more important.


A version of this article was originally published by the Daily Dot on April 14, 2015. 

Photo via Rainer Stropek/Flickr (CC BY 2.0) | Remix by Max Fleishman