An attempted password crack was enough for a U.S. indictment against Julian Assange
The U.S. government unsealed an indictment Thursday charging Julian Assange with a single count of conspiracy to commit computer intrusion for allegedly agreeing to help crack a password on a protected U.S. government computer.
Legal experts who spoke with CyberScoop said Assange didn’t actually have to directly hack anything to violate the Computer Fraud and Abuse Act (CFAA), which was enacted in 1984 to prohibit unauthorized access to a computer system. Assange, the founder of WikiLeaks, in March 2010 was engaged in a conspiracy with former U.S. Army soldier Chelsea Manning to access and publish classified material stolen from U.S. government networks, the indictment says.
By actively participating in the collection of data from a protected government network, rather than receiving it from a source after the collection — as journalists typically do — Assange is legally liable, according to prosecutors.
After Manning provided Assange with “hundreds of thousands” of government files, Assange “agreed to assist” Manning find more material by unlocking a password that was protected in a hash value, according to the Department of Justice. The hashing process involves scrambling a password into a string of other characters, though hackers in the past have demonstrated ways to defeat that protection.
Two days after Manning provided “part of a password” to Assange, the WikiLeaks founder “indicated that he had been trying to crack the password by stating that he had ‘no luck so far,’” the indictment states. There is no suggestion in the indictment Assange successfully cracked the hashed password.
The alleged participation in the conspiracy, along with Assange’s apparent acknowledgement that he sought to access the password, undergirds the government’s case that the WikiLeaks founder violated the CFAA, said Bradley Moss, an attorney specializing in national security at the Washington, D.C., law firm Mark Zaid P.C.
“This is, very simply, [that] Chelsea Manning had a certain level of access because of [a] clearance, [Manning] was giving information already, and [Manning and Assange] made an agreement to get more information,” he said. “To do that they had to break the password. That’s the bread and butter of the CFAA.”
Cracking the password would have allowed Manning to access U.S. Defense Department computers under an identity other than her own, the indictment states. That would have made it more difficult for investigators to determine Manning was behind a disclosure of classified government information.
WikiLeaks in 2010 released sensitive information including a trove of diplomatic cables in which U.S. officials made embarrassing comments about American allies, and a video showing U.S. troops killing civilians and journalists in Iraq. The leak was ultimately traced back to Manning, who was sentenced to 35 years in prison before President Barack Obama commuted the sentence after nearly seven years.
Assange’s acknowledgement that he tried to crack the password, thus participating in illegal activity, is enough to charge him with a CFAA violation for which he could face five years in prison, according to Paul Rosenzweig, a senior fellow at R Street consulting and a law professor at Georgetown University.
First it will be up to a U.K. court to determine if Assange should be extradited to the U.S., as the Department of Justice has requested. The extradition treaty between the U.S. and U.K. stipulates that extradition may not be granted if the offense in question is political in nature, something Assange may argue because of the material WikiLeaks published.
“He’ll probably fail but from one perspective its not frivolous,” Rosenzweig said of such an approach.
A U.K. high court last year denied a U.S. extradition request regarding Lauri Love, a student accused of hacking into U.S. government websites. The judge in that case ruled that Love, then 33 years old, should stand trial Britain because Love would be at risk of killing himself because of the conditions in U.S. jails. A mental health specialist had testified in that case that Love exhibited signs of Asperger’s syndrome and also was at high risk of suicidal tendencies.
“This is not just for myself,” Love said following the ruling last year. “I hope this sets a precedent for the future for anyone in the same position that they will be tried here.”
Assange for years has claimed U.S. prosecutors would use his case as an opportunity to curb press freedom. But by charging Assange with a violation of the CFAA, rather than espionage or disseminating classified material, Rosenzweig says, the Justice Department appears to have carefully avoided that issue.
Others are more suspicious. In a statement Thursday the Electronic Frontier Foundation suggested the government is seeking to “punish a whistleblower and the publisher of leaked material.” EFF executive director Cindy Cohn, in an interview with CyberScoop, said the indictment is part of government effort to criminalize journalism by suggesting Assange, as a publisher, and Manning, as a source, were engaged in a conspiracy.
“They’re saying the conspiracy was to crack a password … but they’re really upset about the publication of information,” she said.
“It’s hard to tell from this indictment what Assange actually did, but if he did what they say it seems to be a very weak basis for all of this,” Cohn said. “This whole indictment is an attempt to make something very, very tiny that may indeed by a CFAA violation into making it seem like journalism with a computer is illegal.”
WikiLeaks also has published emails from the Democratic National Committee in 2016 which appear to have been initially stolen by Russian military hackers. Then, in 2017, the group published the Vault7 documents, a trove of files detailing the Central Intelligence Agency’s hacking capabilities. Neither of those cases were mentioned in the indictment.
[documentcloud url=”http://www.documentcloud.org/documents/5817321-Assange-Indictment.html” responsive=true]
