NEW YORK, Dec 17 (Reuters Legal) - Legal hurdles could make it tough for U.S. prosecutors to go after pro-WikiLeaks hackers who waged cyber attacks last week on Visa, MasterCard, PayPal and other companies.
Attorney General Eric Holder said last week he was “looking into” it but there are enormous challenges finding, moving, investigating and finally convicting those the United States might accuse.
Typically the federal government prosecutes hacking under the Computer Fraud and Abuse Act, which prohibits the “transmission of a program, information, code, or command” that “intentionally causes damage without authorization, to a protected computer.” It’s a broad, powerful statute that applies even to computer crime committed abroad, and can carry prison sentences and heavy fines. But to use it, authorities will first have to locate the elusive hackers and bring them to the United States.
In this case, a group of Internet activists working under the name Operation Payback claimed responsibility for the attacks, which briefly shut down the websites of several companies that had cut off services to WikiLeaks after the whistleblower organization last month made public a massive trove of secret U.S. diplomatic cables. Dutch police arrested two Dutch teenagers last week, and other hackers around the globe are believed to be involved. If the U.S. seeks to prosecute these or any other hackers who may be apprehended overseas, it will have to rely on foreign counterparts to extradite them to the United States. Extraditions often get caught up in politics.
Over the last decade, international cooperation in computer crimes has increased; since 2004, dozens of countries have ratified the Council of Europe’s Convention on Cybercrime, which was designed to harmonize computer crime policy and foster international cooperation. Still, a handful of countries, including Russia, have not ratified the treaty. Prosecuting hackers in those countries could prove difficult. The Wall Street Journal reported that the Federal Bureau of Investigation worked with Dutch authorities on the arrests; Justice Department spokeswoman Laura Sweeney declined to comment on the arrests in the Netherlands or the extent to which the two countries may be cooperating.
The targeted companies apparently suffered “distributed denial-of-service attacks,” which overload websites with so much traffic that they slow down or stop functioning altogether. In such attacks, hackers infect many computers with a program designed to flood the target’s Web server. To find the people responsible, the U.S. government might be able to use undercover agents and cooperators, or get help from international organizations that track the sources of viruses and cyber-weapons.
In the absence of such assistance, investigators would have to trace the source of the attacks themselves. First, the infected computers must be located. For investigators in the United States, this technological challenge also presents a legal hurdle: obtaining subpoenas for multiple Internet service providers. Then, once the infected computers are tracked down, and if the owners don’t voluntarily turn them over, investigators face another legal obstacle: getting a search warrant to examine the hard drives. Only then can they begin the complex forensic analysis aimed at tracing the program back to its source.
The U.S. Computer Fraud and Abuse Act imposes another hurdle, albeit a minor one: The government must show that the alleged computer crime caused losses in excess of $5,000 over a one-year period. In this case, that would be easy to do. But so far, no evidence has emerged to suggest that any of the companies targeted by Operation Payback suffered serious losses. MasterCard, for example, said in a statement that while it had “seen limited interruption in some web-based services,” its “core processing capabilities have not been compromised and cardholder account data has not been placed at risk.” Prosecutors may feel less urgency to bring charges because the damages appear to be relatively small.
In contrast, the federal government last year won a conviction against Albert Gonzalez, an American who pleaded guilty in connection with the computer hacking of several major U.S. retailers. More than 40 million credit and debit card numbers were allegedly stolen in the process. Gonzalez was sentenced to 20 years in prison in March.
David Goldstone, a former attorney in the Justice Department’s Computer Crime and Intellectual Property Section and now a partner at Goodwin Procter, said that a decision whether to prosecute the Operation Payback could come down to the allocation of resources and the perceived importance of the attacks. “The government may give it less of a priority,” Goldstone said. “They may treat it as graffiti.”
Editing by Eric Effron and Amy Stevens of Reuters Legal