In 2004, a few years before the rise of Anonymous, the notorious online collective of hackers and activists, a seventeen-year-old named Jeremy Hammond gave a talk on “electronic civil disobedience” at the annual Def Con hacking conference. “We believe that hacking is a tool. It is a means to an end,” he said, shaking his head of bleached-blond hair as he spoke. He rejected those who hack for personal gain or to improve corporate security. He advocated hacktivism, which he defined as “a practical application of network insecurity skills … as a means of fighting for social justice by putting direct pressure on politicians and institutions.”
This past Friday morning, Hammond, now twenty-eight, stood before a federal judge wearing a smirk and a black prison jumpsuit. He was about be sentenced for a string of computer crimes, making him the latest hacktivist to be punished for disrupting computer systems. Hacktivists, unlike the standard criminal hackers, claim to seek political change rather than financial gain—a distinction that rarely earns them much sympathy before the law. But, like his talk at Def Con, Hammond’s final speech in court was unrepentant. “I also want to shout out my brothers and sisters behind bars, and those who are still out there fighting the power,” he began.
Hammond isn’t as widely known as Edward Snowden or Chelsea Manning, but his reputation precedes him: in 2011, he worked with members of Anonymous to break into the systems of the U.S.-government-intelligence contractor Strategic Forecasting, Inc., better known as Stratfor, and to leak millions of its internal e-mails to WikiLeaks. The trove revealed, among other things, surveillance of political groups in the U.S. and abroad, from Occupy Wall Street to activists who campaigned in Bhopal, India, following a deadly gas leak in 1984 that killed thousands of people.
Hammond also aided in the theft of sixty thousand credit-card numbers from Stratfor, which were leaked online after they were used by Anonymous to make more than seven hundred thousand dollars’ worth of fraudulent charges, which included large donations to charities and nonprofits—although, as the security researcher Mikko Hypponen explained shortly after the leak, none of the intended recipients could make use of the money. The group then defaced Stratfor’s Web site, wiped its client database clean, and destroyed its e-mail server. Hammond, using the alias “sup_g,” told one of his comrades at the time that he was “hoping for bankruptcy, collapse.”
Hammond was caught after he teamed up with Hector Xavier Monsegur, known as Sabu, the leader of the Anonymous splinter group LulzSec and, unbeknownst to Hammond at the time, an F.B.I. informant. Sabu, at the F.B.I.’s request, provided Hammond with a server on which to store stolen data—including what he had obtained from Stratfor—and fed Hammond a list of Web sites to attack.
Hammond had not only been caught in the sting; he had also become an unwitting pawn in the government’s electronic spy games. Hammond claimed that his intrusions, made during January and February of last year, “affected over 2000 domains” and included the government Web sites of Brazil, Turkey, and Syria, among other countries, as well the “official website of the Governor of Puerto Rico, the Internal Affairs Division of the Military Police of Brazil, the Official Website of the Crown Prince of Kuwait, the Tax Department of Turkey, the Iranian Academic Center for Education and Cultural Research, the Polish Embassy in the UK, and the Ministry of Electricity of Iraq.” At Hammond’s sentencing, when he began reading the names of the countries that Sabu had told him to attack, which the government had redacted from court documents, he was silenced by the judge.
The defense did its best to portray Hammond’s crimes as acts of electronic civil disobedience—the same kind of acts that he’d described years ago at Def Con. They read selections from the hundreds of letters of support that Hammond had received, including one from Daniel Ellsberg, the Pentagon Papers whistle-blower. They blasted the government’s “one-dimensional view” of Hammond’s actions, saying that his motivations for exposing powerful institutions like Stratfor were the same as those that had inspired his community service in his native Chicago, where he frequently volunteered at soup kitchens and taught disadvantaged kids how to use computers.
The U.S. district judge Loretta Preska was unmoved, focussing on statements made by Hammond in online chat logs, where he encouraged his fellow Anonymous members to cause “maximum mayhem” with Stratfor’s credit cards. Besides, Preska reasoned, Hammond was a repeat offender who had already served a two-year sentence for hacking the Web site of Protest Warrior, a right-wing group known for crashing anti-war rallies. “These are not the actions of Martin Luther King, of Nelson Mandela … or even Daniel Ellsberg,” she said.
Even if Preska had been sympathetic to Hammond or to his cause, it would have been difficult for her to hand down a particularly lenient sentence. The Supreme Court has instructed judges to ignore sentencing guidelines at their own peril, and the Computer Fraud and Abuse Act, an anti-hacking law that was enacted in 1986 and was modelled on a wire-fraud statute from 1952, which was itself based on a 1948 mail-fraud statute, engenders restrictive sentencing guidelines.
General federal sentencing guidelines establish forty-three levels of “offense seriousness.” The higher the level, the more severe the punishment. In a hacking crime, prosecutors can do a number of things to increase the level of offense, including deconstructing a single act of hacking into multiple charges: unauthorized computer use, wire fraud, damaging “a protected computer,” stealing protected information, and sometimes even aiding and abetting other crimes. They can calculate the damages caused by the hack—“the loss”—at a high rate, and they can present evidence that the defendant is not taking responsibility for what he has done. In Hammond’s case, his plea agreement notes that the “base offense level” for his crime was six, which would typically carry a sentence of six to twelve months. But the prosecutors calculated that he had caused more than a million dollars in damage and harmed more than two hundred and fifty people. Taking into account his prior convictions, his “adjusted offense level” was thirty-one, for which the minimum penalty is twelve years. To avoid such a long sentence, Hammond pleaded guilty to one count of a conspiracy to violate the C.F.A.A., which carries a maximum of ten years, and he asked the court for lenience because he had used “his abilities to potentially unmask unlawful surveillance and intelligence-gathering efforts and seek out hidden truths.”
Declaring a need to “promote respect for the rule of law,” Preska gave Hammond the maximum sentence of ten years. His jail time will be followed by three years of supervised release, during which all of his devices will be monitored by police software, his property will be subject to warrantless searches, and he’ll be forbidden from using encryption or anonymity tools.
In a letter to the court on Hammond’s case, Hanni Fakhoury, a lawyer with the Electronic Frontier Foundation, points to a defendant who was recently convicted in a hundred-million-dollar welfare-fraud scheme and received a hundred and twenty-five months in prison—only five months longer than Hammond’s sentence, despite inflicting far greater damages. Hammond’s collaborators in the U.K. received dramatically lighter sentences than he did, ranging from two hundred hours of community service to thirty-two months in prison.
The disparity is even more apparent in the case of the Paypal Fourteen, the group charged for participating in the distributed-denial-of-service attack (D.D.O.S.) that disrupted the online-payment Web site in retaliation for its refusal to process WikiLeaks donations. D.D.O.S. attacks don’t involve breaking security or stealing information; instead, they flood Web sites with hundreds of thousands of requests, overwhelming the servers and making them temporarily unavailable. Stanley Cohen, an attorney for one of the Paypal defendants, described the tactic as an “electronic sit-in”—a twenty-first-century salute to the legacy of Birmingham, Alabama. Others argue that D.D.O.S. attacks are a form of censorship—noting that it has been appropriated by corporations and governments as a weapon of cyberwarfare.
But the C.F.A.A.’s broad guidelines for calculating “loss” mean that digital protests often result in much harsher penalties than their real-world analogues in the U.S. For example, most of the seven hundred Occupy Wall Street protesters who were arrested for blocking off the Brooklyn Bridge in October, 2011, received a night in jail plus a small fine. But for their D.D.O.S. disturbance, the Paypal Fourteen are each facing up to fifteen years in prison, with a plea deal possible only if thirteen members of the group comply.
Not long ago, a young activist named Aaron Swartz sat before a different judge in a similar situation. His transgressions were far more innocuous: Swartz, whom Larissa MacFarquhar wrote about in March, was indicted for downloading millions of academic articles from JSTOR, a pay-walled service he had free access to on M.I.T.’s campus. JSTOR dropped its charges, but the government chose to pursue the case aggressively, in a move that was widely condemned as prosecutorial overreach by lawyers, friends, and fellow-activists.
As with Hammond’s hearing, the broad language of the C.F.A.A. statute allowed prosecutors to pile on charge after charge, threatening Swartz with up to thirty-five years in prison and pressuring him to accept a guilty plea rather than undergo an expensive trial. In January, Swartz committed suicide.
Another similar case is that of Barrett Brown, a journalist and online activist. Sometimes known as a former “unofficial spokesperson” for Anonymous, he is currently facing fifteen years in prison for copying and pasting a public link to the Stratfor documents that Hammond stole into an online chat room; he faces an additional thirty years for aiding and abetting those crimes. The government argues that sharing the link is a crime simply because he knew that the link contained credit-card information and it “caused the data to be made available … without the knowledge and authorization” of Stratfor.
Judge Preska refused to recuse herself from the case after Hammond’s attorneys filed a motion last year requesting that she do so, noting that her husband, Thomas Kavaler, was a partner at a law firm whose information was compromised in the Stratfor leak. At a rally of Hammond supporters in Foley Square after the sentencing, the former New York Times reporter Chris Hedges told the crowd, “She never, ever should have been allowed to sit this case …. The danger of what happened today is that the assault on figures like Hammond, like Barrett Brown, like Edward Snowden … is essentially attempting to crush any possibility that the public can be informed about what the centers of power are doing.”
Other examples of this form of activism abound: in 2011, the artist and activist Ian Paul organized an action called Border Haunt, in which hundreds of participants spammed a police database with the names of immigrants who have died crossing the U.S.-Mexico border. That same year, hacktivist groups provided Arab Spring protesters who had been cut off from the Internet with dial-up connections, mesh networks, and guides on how to properly treat tear gas. They also shut down government Web sites in Egypt and Tunisia in retaliation.
Hammond is perhaps another example of how hacktivism and leaking have created a new type of political dissenter. His tactics, of course, are the same as those used by criminals seeking personal gain, which is why they’re sometimes described as “cyberterrorism.” But as Hammond explained it in 2004, hacking can be a tool and hacktivism just one component in a comprehensive program of political engagement. Whether and to what extent the U.S. government will recognize it as such remains an open question.
Correction: Aaron Swartz’s case was not heard in the same court as Hammond’s.
Above: The Codehack conference. Photograph by Fabrizio Giraldi/LUZ/Redux.
