, The Associated Press 2003-10-24
Computer administrator Bret McDanel discovered a security flaw in his company's software. He warned his managers. They ignored his pleas. So he quit and fired off thousands of e-mails alerting customers to the problem.The vulnerability at Tornado Development Inc. finally got fixed. But McDanel was charged and convicted of causing damage under the federal Computer Fraud and Abuse Act.
McDanel, 30, maintains he was merely a whistleblower doing the right thing. More remarkable is that prosecutors now agree. Earlier this month, after McDanel served his sentence of 16 months in a federal lockup, they asked an appeals court to reverse his conviction.
The case illustrates the danger that vague laws pose in attempting to govern the tangled complexities of technology. And though McDanel's plight is on the verge of resolution, his experience has had a chilling effect on open discussions of computer security, experts say.
That can be dangerous because malicious hackers have proven to be quite capable of discovering and exploiting flaws that are kept secret from everyone else.
"Security researchers have to think that speaking out is dangerous when they hear about a prosecution like this," said Jennifer Granick, the attorney handling McDanel's appeal.
Ignorance of the intricacies of high tech has led to laws that are easy to misinterpret. Lawmakers, prosecutors and judges often don't understand the difference between bona fide security research and hacking.
It can be very difficult for people who barely understand e-mail to grasp the difference between ethically sound network vulnerability research and the public disclosure of vulnerabilities, said Daniel Ingevaldson, engineering manager of Internet Security Systems, a computer security firm.
And that, Granick says, is at the heart of McDanel's case.
In 1999 and early 2000, McDanel worked at El Segundo, Calif.-based Tornado, which offered a unified messaging service that let customers retrieve e-mail, voice mail and faxes through a single Web site. The company went out of business in 2002.
McDanel discovered that if a user sent a Web address as part of an e-mail, recipients and other outsiders would be able gain access to the sender's account. Everyone agrees that McDanel warned his supervisors and they declined to fix the problem.
After leaving the company for other reasons, McDanel learned that the problem still had not been fixed and decided to launch his e-mails to customers.
During the trial, prosecutors described the barrage -- 5,600 e-mails in all sent in late summer 2000 -- as a crippling attack that crashed Tornado's e-mail servers and caused more than $5,000 in damage, a threshold in the law.
In her appeal, Granick said the dollar amount was inflated because it included the cost of Tornado's own efforts to hide the problem.
McDanel was convicted in a nonjury trial on June 25, 2002. His sentence of 16 months was the maximum at the time; the limit is now two years.
"What's happened here is you have this perfect storm of a vague statute, a kind of general ignorance about computers and computer security and a system where prosecutors get a lot of press and money for pursuing computer crime cases," Granick said.
For instance, the Computer Fraud and Abuse Act bars anyone from sending information, with the intent to cause damage, to a protected computer. But the law's definition of damage includes "impairment to integrity" of a system or data -- a phrase so ambiguous that a judge in an unrelated 2000 case resorted to a dictionary for clarification.
In McDanel's case, prosecutors claimed and the judge agreed that "impairment to integrity" includes the publication of a security vulnerability.
In other words, the conviction hinged on McDanel's message, not just his method.
"He let people know it was insecure," said Granick, who is executive director of Stanford Law School's Center for Internet and Society. "And that required them to fix it and deal with angry customers -- the theory being they didn't have to fix it as long as nobody knew about it."
Such no-fix practices are disparagingly known among techies as "security through obscurity." But now that worms, viruses and hackers are repeatedly exploiting vulnerabilities that had been kept quiet for years, many companies have had a change of heart.
The Justice Department's approach to such cases is now apparently evolving as well, as evidenced by prosecutors' motion with the 9th U.S. Circuit Court of Appeals in San Francisco to have McDanel's conviction overturned.
"This case was brought in good faith. It was litigated in good faith. It resulted in a conviction by a federal judge," said Thom Mrozek, U.S. Attorney's spokesman in Los Angeles. "Our good faith is demonstrated again by our steps to have this conviction reversed."
McDanel didn't have a clean record before the Tornado incident. He was indicted for allegedly changing the passwords of servers operated by Morristown, N.J., Internet service provider GTI, where he once worked. He allegedly refused to disclose the passwords until he received pay for his final days at work.
That case is still pending.
A woman who answered the phone at McDanel's parents' house, where he has been living since his release from prison in Los Angeles, said he was not speaking to reporters.
Christopher Wolf, an Internet law specialist at Proskauer Rose, a firm in Washington, D.C., said the Tornado case is unusual but should make prosecutors think twice.
"It will likely put prosecutors on more notice that you can't assume that somebody doing what this guy did is necessarily a bad actor," he said.
Would-be whistleblowers also need to worry about the Digital Millennium Copyright Act, which restricts discussion of technology used to protect digital content. Several legal rights groups have questioned that law's wide powers.
"The role of the law is not to protect the reputation of companies with insecure products, or to protect their profit stream," Granick said. "You want everybody to be equal before the law."