Thanks in part to America’s ill-defined hacking laws, prosecutors have enormous discretion to determine a hacker defendant’s fate. But in one young Texan’s case in particular, the Department of Justice stretched prosecutorial overreach to a new extreme: about 440 years too far.
Last week, prosecutors in the Southern District of Texas reached a plea agreement with 28-year-old Fidel Salinas, in which the young hacker with alleged ties to members of Anonymous consented to plead guilty to a misdemeanor count of computer fraud and abuse and pay $10,000 in restitution. The U.S. attorney’s office omitted one fact from its press release about that plea, however: Just months ago, Salinas had been charged with not one, but 44 felony counts of computer fraud and cyberstalking—crimes that each carry a 10-year maximum sentence, adding up to an absurd total of nearly a half a millennium of prison time.
Virtually all of those charges have now been dismissed entirely. And Salinas’s defense attorney Tor Ekeland argues they were piled on based on a faulty reading of computer crime laws, possibly intended to intimidate the young hacker into a unfavorable plea or to damage his reputation. “The more I looked at this, the more it seemed like an archetypal example of the Department of Justice’s prosecutorial abuse when it comes to computer crime,” Ekeland said in an interview with WIRED. “It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage.”
Eighteen of the 44 counts in Salinas’ indictment, for instance, were for cyberstalking an unnamed victim. But each of those charges was based on Salinas merely filling out a public contact form on the victim’s website with junk text. Every time he clicked “submit” had been counted as a separate case of cyberstalking.
>”It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage.” — Tor Ekeland
Another 15 counts of violating the Computer Fraud and Abuse Act in Salinas’ indictment were tied to websites he had targeted in an alleged hacking spree; in some cases he was charged multiple times for different alleged hacking attempts of the same site over the course of just minutes. In each case, Ekeland says, Salinas had merely scanned the sites with commercially available vulnerability scanning tools like Acunetix and Webcruiser.
In his final plea agreement, the only remaining one of those 44 felonies to which Salinas actually pleaded guilty—downgraded to a misdemeanor—was a computer fraud and abuse charge for repeatedly scanning the Hidalgo County website for vulnerabilities. Prosecutors argued the scans slowed down the site’s performance.
Ekeland compares Salinas’ case to similarly aggressive prosecution in the cases of other young hackers like Andrew “Weev” Auernheimer and Aaron Swartz. Auernheimer, another of Ekeland’s clients, was convicted of conspiracy to commit computer fraud and abuse when he and a friend wrote a script to collect AT&T users’ personal information that was exposed on a public website. (He was freed on appeal due to jurisdictional issues.) Swartz was accused of illegally downloading journal articles en masse from the website JSTOR, and charged with 11 counts of violating the Computer Fraud and Abuse Act. Facing 35 years in potential prison time, he hung himself in his Brooklyn apartment in January of last year.
Texas U.S. attorney’s office spokesperson Angela Dodge wrote in an email to WIRED that she wouldn’t discuss the specifics of the office’s prosecutorial discretion. “We believe we secured a plea in this case that will serve as a deterrent to similar crimes and that was in the best interest of justice for all parties involved,” Dodge wrote. “Not only does he stand convicted, but he will also be providing restitution to Hidalgo County for their losses.”
Salinas’ sentencing is scheduled for February 2nd, and he declined through his lawyers to speak before that date. He now faces a maximum of one year in prison, though Ekeland says he plans to argue that Salinas’ punishment should be limited to the restitution he’s agreed to pay.
After all, Ekeland argues, Salinas has already been pilloried in the local and national press, which touted the early charges against him, but ignored the fact that they were dropped. “They destroyed his reputation, they tried to ruin his life,” says Ekeland. “It ran on the front pages of the newspaper down there. His mother cried.”
Both the Computer Fraud and Abuse Act and the cyberstalking law under which Salinas was prosecuted have been criticized for their vagueness. Prosecutors argued the stalking law applied to Salinas’ case, for instance, because he had caused his victim “substantial emotional distress.” “If filling a website submission form a lot of times is cyberstalking, about half of Twitter is going to jail,” Ekeland says.
But just as importantly, Ekeland points out that prosecutors also applied those laws sloppily. The cyberstalking law, for instance, applies to a “course of conduct,” he says, meaning that a defendant shouldn’t face multiple counts for merely filling out a website’s contact form multiple times.
__Ekeland, who took Salinas’ case pro bono, says that the plea agreement demonstrates how over-eager prosecutors have become to prosecute hackers. __”The CFAA is hot right now. They all want a computer crime prosecution notch on their belt,” he says. “But they don’t understand the law or computers. As soon as they got caught, they folded.”
Not every hacker victim of prosecutorial overreach will win the attention of a pro bono lawyer, either. “I feel sorry for all the people that don’t have the support that Fidel had,” says Ekeland. “There are a ton of Fidel Salinases out there that aren’t as lucky.”