An activist, who pled guilty to violating the Computer Fraud and Abuse Act (CFAA) while hacking into the private intelligence firm, Stratfor, in May, will be sentenced in a federal court in New York tomorrow.
Jeremy Hammond worked with Anonymous to hack into Stratfor and release information from the firm. The material was eventually by published by WikiLeaks.
While uncharged, he also admitted in a statement after he pled guilty to one count of violating the CFAA, that he had hacked into other websites including “military and police equipment suppliers, private intelligence and information security firms, and law enforcement agencies.” He said he did this because he believed “people have a right to know what governments and corporations are doing behind closed doors.”
The government has submitted its sentencing memo to the judge and requested that Hammond be given the maximum punishment possible in the case, 10 years in prison.
“Hammond is a hacking recidivist who, over the course of almost a year, launched cyber attacks that harmed businesses, individuals, and governments; caused losses of between $1 million and $2.5 million; affected thousands of people; and threatened the safety of the public and law enforcement officers and their families,” according to the memo.
Prosecutors cite a prior conviction in 2006, when he was sentenced to 24 months in prison for “federal computer hacking,” as evidence he was undaunted by his punishment because he later began a “sustained campaign during which he executed cyber attacks against the websites and computer networks of scores of victims.”
The memo goes on to accuse Hammond of having “malicious and callous contempt for those with whom he disagreed, particularly anyone remotely related to law enforcement not ‘concern[ed] with both transparency and privacy.'”
It highlights how the “names, physical addresses, credit card data and email addresses of thousands of clients of Stratfor were released and disseminated worldwide, resulting in approximately $700,000 of unauthorized charges on those accounts and cost more than $1 million to Stratfor to repair.”
The damage to Stratfor was insurmountable for the firm, but it should not go unmentioned that the FBI had an informant, Hector Xavier Monsegur (“Sabu”), involved in the operation to go into Stratfor’s network and obtain files for release. FBI officials claim they did not sit idly by and let this operation unfold as Stratfor was infiltrated, but they did apparently instruct or authorize Monsegur to have all the data obtained from the hack placed on one of the FBI’s own computers.
Many have believed that the FBI thought it might be able to get to WikiLeaks through this operation if they did not disrupt it, which the FBI denies. The agency did not stop the transfer of material to WikiLeaks because it did not plan for the fact that those involved, like Hammond, would keep files on “their own servers” for transmitting to the media organization later.
The sentencing memo submitted actually accuses Hammond of “deflecting” blame or trying to “obfuscate his criminal activity” by claiming in his sentencing submission that “Sabu” participated in the hack, instead of gathering information for law enforcement, by “providing servers for the storage of information and creating chatrooms to facilitate discussions.”
This claim mischaracterizes the CW’s role. As explained in the Complaint, the CW [informant], at the direction of the FBI, provided to Hammond and his co-conspirators a server, which Hammond and his co-conspirators used to store the data they stole from Stratfor. As a result of the FBI’s control of this server, the FBI was able to mitigate the harm by, for example, notifying credit card companies about the compromised cards. The FBI’s control of access to this server also would, and did, provide substantial evidence as to Hammond’s identity and role in the attack. Similarly, the CW created chat rooms for Hammond and his co-conspirators at the direction of the FBI, which monitored the chats, gaining valuable intelligence about the hack which it used to notify Stratfor and credit card companies as the hack developed, as well as powerful evidence of Hammond’s criminal activity.
Ahead of Hammond’s sentencing, Hammond’s lawyers collected 265 letters of support that call for a “sentence of time-served.” They were written by friends, family, academics, journalists, individuals from the tech community and notable whistleblowers.
Pentagon Papers whistleblower Daniel Ellsberg said in a letter, “I believe the actions taken by Jeremy Hammond need to be viewed in a context that considers the profound consequences of private surveillance of political activists in the United States.” Jesselyn Radack, a Justice Department whistleblower, said Hammon “performed an act of civil disobedience out of a deeply held belief that the people have a right to know what the government and unregulated corporations are doing behind closed doors against them.” Professor Gabriella Coleman, who focuses on computer hacking, electronic dissent and Anonymous, said there as no doubt in her mind that Hammond’s actions had been “politically principled and constitute civil disobedience.” The Yes Men said, “It is distressing to us that he faces such repercussions for taking actions that were only meant to bring positive change.”
Brad Thomson, a paralegal with the People’s Law Office in Chicago, knows Hammond and said he had been active in the movements in the city to “end hunger, to end sexism and to end environmental degradation and the negative health impacts from it.” He had volunteered to help “community computer clinics that assist young people and underprivileged individuals from the community in learning basic computer skills necessary to do their homework, write a resume or design a website.”
“Jeremy’s worldview is a communal one, where people take care of each other and support one another” Debra Michaud, a Chicago business owner and founder of the Chicago Chapter of the Rainforest Action Network, wrote. “His home had an open door—if someone needed a place to stay, a warm meal, or an ear, they found a haven there.”
Hammond was arrested in March 2012. He has been denied bail and been in prison since that arrest. He has been in jail for over a year and a half.
Prosecutors have put great emphasis on the leniency shown by the judge when he was convicted of hacking and sentenced to 24 months. He was 19 and was given a break by the judge because his offenses were not “done out of unguided malice, a desire to wreak havoc, which motivates many hacking offenses.”
Important to prosecutors is the fact that Hammond’s sentence should send a message to others not to do what Hammond did.
“More leniency now would hardly serve as just punishment for a repeat offender nor would it serve as deterrence either to Hammond or to others who may be inclined to undertake similar activities,” prosecutors argue. “Hammond was already given a second chance to demonstrate that he could lead a law-abiding life. Instead, having been given leniency, he chose to dramatically escalate his prior offense in scope and consequences. As a result, he caused financial harm and emotional distress, violated privacy and jeopardized public safety, to various entities and numerous individuals he had never met—in other words, he wreaked havoc, just as he hoped to. His conduct now deserves the strongest possible condemnation.”
The request to have Hammond sentenced to 10 years in prison stands in sharp contrast to the sentences of LulzSec hacktivists in the United Kingdom. Ryan Ackroyd and Jake Davis were both sentenced to 30 months and two years in prison, respectively. Mustafa al-Bassam, who also was involved in hacking, was given a two-year suspended sentence and 300 hours of community service. And another hacktivist, Ryan Cleary, was sentenced to 32 months in prison. (Both Ackroyd and Davis are likely to serve only half of their sentences in prison.)
As the National Lawyers Guild points out, this is all due to the incredible power the government has to use an “outdated” and “vague” computer crimes statute to come down hard on hacktivists:
…[T]he CFAA has seen increasing use against information activists in an effort to criminalize everything from the sharing of links to violating terms of service agreements. The most highly publicized CFAA case involved 26 year-old information activist Aaron Swartz, who was threatened with decades in prison for downloading freely available documents from the academic database JSTOR. Swartz took his own life earlier this year…
The Electronic Frontier Foundation pointed out in a letter submitted to the court in support of Hammond that his potential sentence of 10 years is closer to sentences “handed down in the Southern District of New York” for individuals involved in “traditional fraud schemes, which have larger losses and were motivated by the defendant’s desire for personal financial gain.” For example, one defendant was convicted of Medicare fraud that involved a “$100 million loss” and was sentenced to 125 months in prison. The loss from Hammond’s act was much smaller and did not provide him with any personal financial gain.
Hammond is being punished, to some extent, for the fact that the FBI was unable to control its informant and contain an operation before it destroyed a private intelligence firm. It also is true that there should be a differentiation between hacking operations that are a part of “civil disobedience” and hacking operations that are for otherwise malicious purposes. Yet, as with leaks prosecutions where it is impossible to mount a whistleblower defense, the government would prefer there be no distinction so it can protect corporations and government agencies from acts of resistance.
I will be at Jeremy Hammond’s sentencing hearing tomorrow morning in New York. I will be there in the morning to cover a rally before his sentencing and then I will be at the press conference/rally scheduled for after the sentencing.