Dallas writer Barrett Brown, who was involved with the "hacktivist" movement Anonymous until earlier this year, was indicted last Tuesday (Dec. 4) on 12 counts related to possession of stolen credit-card numbers.
The indictment alleges that Brown possessed at least 10 stolen credit-card numbers and card-verification values (CVVs), and also shared a link to a document that contained thousands more stolen credit-card numbers. He faces 45 years in prison if convicted on all counts.
However, the indictment does not allege that Brown himself stole the credit-card numbers or that he profited from having them. It states that merely possessing the numbers shows "intent to defraud."
What Brown actually did was post a link to a "data dump" of stolen information, including credit-card numbers, on his own Internet Relay Chat forum. He also had one or more text files containing about 10 stolen credit-card numbers on his own computer.
If that's the case, then dozens of technology journalists, including possibly this writer, as well hundreds of technology researchers, might be considered just as guilty as Brown.
Many online news reports include links to websites where politically motivated hackers post their manifestos, and those manifestos in turn often contain links to file-sharing sites that house stolen data.
Are journalists who post those links trafficking in stolen goods?
Because of those manifestos, data dumps themselves are easy to find, copy and analyze. To security researchers, they provide a good look at how bad digital security can be. To journalists who cover digital security, they are primary sources for news stories.
Are researchers and journalist who possess copies of the data dumps guilty of "intent to defraud," even if they never plan to use the information for ill-gotten gain?
The Stratfor connection
Last week's indictment stems from the December 2011 hack into servers belonging to Stratfor Global Intelligence (formerly Strategic Forecasting, Inc.), an Austin, Texas, firm that consults corporations and government agencies on geopolitical matters.
Hackers working with the Anonymous offshoot AntiSec (which included a government informant ) broke into Stratfor's servers looking for evidence to support their suspicions that the firm was operating as a private spy agency.
AntiSec copied everything it could access in Stratfor's servers and posted the information online. There was a lot of it — approximately 860,000 email addresses and encrypted passwords, 68,000 unencrypted credit-card numbers and 50,000 telephone numbers, most of them belonging to subscribers of Stratfor's email newsletter.
But the real find was 5 million internal company emails, which Wikileaks later posted online, again as part of an attempt to prove that Stratfor was deeply involved with secret governmental and corporate skullduggery.
(Disclosure: This writer subscribed to Stratfor's emailed newsletter for several years and still finds the company's analyses informed and insightful.)
"Stratfor was not breached in order to obtain customer credit-card numbers, which the hackers in question could not have expected to be as easily obtainable as they were," Brown wrote in an online posting after the breach was revealed. (Stratfor had unwisely stored the card numbers in plain text.) "Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers."
The AntiSec hackers said at the time that they used some of the stolen credit-card data to make donations to the Red Cross, Save the Children, WikiLeaks and other charities. That was never fully confirmed, but some people on the Stratfor email list were tricked into seeing Rick Astley videos.
Brown is not accused of taking part in the Stratfor hack. By his own admission, he's not technically skilled.
But he did learn of it before it was publicly disclosed, and sent out tweets promising that something big was about to be revealed.
Once AntiSec made the data breach public on Christmas Day 2011, Brown, as he had done before, became the public face of Anonymous, explaining the group's methods and motivations to the media without claiming to be part of it.
[ 5 Steps to Better Credit-Card Security ]
The alleged crimes
"On or about December 25, 2011," last week's indictment states, "defendant Barrett Lancaster Brown … did knowingly traffic in more than five authentication features knowing that such features were stolen and produced without lawful authority."
Specifically, "Brown transferred the hyperlink 'http://wikisend.com/download/597646/stratfor_full_b.txt.gz' from the Internet Relay Chat (IRC) channel called '#AnonOps' to an IRC channel under Brown's control called '#ProjectPM.'
"Said hyperlink provided access to data stolen from the company Stratfor Global Intelligence, to include in excess of 5,000 credit card account numbers, the card holders' identification information, and the authentication features for the credit cards known as the Card Verification Values (CVV), and by transferring and posting the hyperlink, Brown caused the data to be made available to other persons without the knowledge and authorization of Stratfor Global Intelligence and the card holders."
For this, Brown was indicted on one count of trafficking in stolen authentication features. According to the press release by the U.S. Attorney's Office for the Northern District of Texas, the count carries a maximum penalty of 15 years in prison.
Brown is also alleged to have possessed "at least 15 ... unauthorized access devices," i.e., "stolen credit card account numbers" and CVVs. According to the indictment, that constitutes access device fraud, which could bring 10 years in prison.
Brown was also indicted on 10 separate counts of aggravated identity theft, each of which carries a mandatory two-year sentence and a possible $250,000 fine.
The identity-theft charges stem from the allegation that Brown "knowingly transferred and possessed without lawful authority the means of identification" of 10 separate individuals identified in the indictment only by their initials and cities of residence.
Brown allegedly possessed those 10 individuals' names, addresses, telephone numbers, email addresses, Stratfor usernames, credit-card numbers and CVVs — just as would anyone else who had downloaded and examined the data dumps that were posted online.
Pressure to talk?
To someone versed in digital security, the government's case against Brown sounds weak. But to the average American juror, the indictment could make it sound like Brown's a master cybercriminal, the equivalent of the Russian crooks who steal millions from American bank accounts every year.
The U.S. government seems to be cracking down on nuisances like Brown just as ardently as it does on online organized crime. Prosecutors may be exploiting the general public's lack of understanding of digital security in order to bring charges for trivial or non-existent offenses.
The technology is ahead of the law by a generation or two, and there's no easy way to fix that problem.
Just last month, "gray hat" hacker Andrew "Weev" Auernheimer was convicted of conspiracy to hack into a computer and of personal-information fraud, even though all he did was show a reporter data that a friend had collected from a publicly accessible website.
Brown never tried to sell the information he had, which might have netted him a few dollars in underground criminal bazaars. Auernheimer's information, a collection of email addresses, might have been of interest to spammers or online marketers, but he made no attempt to sell it either.
Perhaps the government feels emboldened by the Auernheimer conviction. Perhaps prosecutors plan to use Brown's indictment to pressure him into giving up what he knows about Anonymous. (Brown has been jailed since September for allegedly threatening an FBI agent.)
What is clear is that federal prosecutors seem to be stretching the definition of digital-information crimes to include a wide range of activities that would, in the physical world, be considered lawful.
In the real world, it's not a criminal offense to know a stranger's name, address or license-plate number. It's not a crime to find and pick up a credit card that someone else dropped in the street.
In the physical world, you don't actually commit a crime until you take action by stealing the stranger's car, breaking into his house or using his credit card.
But according to Barrett Brown's indictment, merely knowing the digital equivalents of these items is enough to send you to prison for 45 years.