Here’s a fun prank to play on a friend the next time they leave their computer unattended. Take a screenshot of their desktop and make it their default background. Right click (on PC), go to “View,” then unselect “Show Desktop Icons.” Pull the taskbar below the screen, leaving a useless image of your friend’s desktop. Watch as they click furiously trying to figure out what’s gone wrong, laughing the quiet stunted giggle of a low-level prankster.
Beware, however, because changing the background on a computer that isn’t yours could qualify you for felony hacking charges. That’s according to the Florida sheriff’s office, which has charged a middle school student with unlawful access to a network, a charge that could give 14-year-old Pasco County resident Domanik Green 10-20 years in prison. Green changed the desktop wallpaper of a teacher he found “annoying” to a picture of two men kissing. (Apparently, the password was the teacher’s last name.)
This computer in particular, however, held encrypted standardized testing data. Despite the fact that authorities state Green never accessed the sensitive information, one of officers on Green’s case warned: “Who knows what this teenager might have done?” While the charges against Green are rather overwrought, stories like these serve to exemplify the massive gap between law enforcement and the technology they’re supposed to be monitoring. From local police in Florida to the Supreme Court, judicial officials have proven themselves to be woefully undereducated on technology.
From local police in Florida to the Supreme Court, judicial officials have proven themselves to be woefully undereducated on technology.
Domanik Green’s case is atrocious on a number of levels. First, the school and the police are effectively blaming the student for his school’s own weak security standards. Green said many students knew the password and would use the administrative login to talk across the school’s webcams. Plus, using your last name as a password to protect the computer from a room full of teenagers who exclusively call you by your last name is the height of lazy cybersecurity. Second, Green is facing felony charges seemingly on the hypothetical idea that he was after standardized testing information. The sheriff office’s insistence on “what this teenager might have done” does not qualify for a crime—you can’t arrest people for having the chance to do something illegal and not taking it.
It’s this sort of broad application that has earned the Computer Fraud and Abuse Act—the federal law Green is being charged under—so much criticism from security professionals. Adopted in 1984, the law is bloated and outdated, allowing prosecutors to call for decade-long prison sentences for actions as small as participating in a DDoS attack or discussing a hack in an IRC. Reddit co-founder Aaron Swartz faced up to 35 years in prison for downloading JSTOR documents he downloaded from MIT’s network. Facing such a steep sentence, Swartz later took his own life.
As Slate’s Justin Peters points out, the CFAA originally applied to very few computers, restricted as it was to computers involved in “interstate” commerce. When the law was passed, that mostly meant computers involved in government or financial affairs. The scenario presented to lawmakers was less Green’s harmless prank and more concerned with secure military networks like ARPANET, an early forerunner to the Internet. Now that most computers have Web access—meaning everything from your smartphone to your toaster is susceptible to the CFAA—prosecutors and police are armed with a powerful law meant to take down top level hackers and apply it wherever they like, even in the case of a schoolyard prank.
Such vague laws are especially dangerous in the hands of a judicial branch woefully undereducated in technological matters, as Domanik Green is finding out now. Judges at all levels of government continually embarrass themselves through ham-fisted attempts at ruling on technology, often with disastrous results. When Google was sued for supposedly wiretapping people’s WiFi connections through their Street View cars, a judge declared WiFi to not be a form of radio communication and, therefore, susceptible to federal wiretap regulations. Except WiFi is a radio communication and the networks Google accessed were unprotected by a password.
Vague laws are especially dangerous in the hands of a judicial branch woefully undereducated in technological matters.
The Supreme Court has been especially criticized for its own lack of expertise on technology, an especially worrisome problem considering potential rulings on cybersecurity, privacy, and mass surveillance by the federal government. Justice Elena Kagan raised more than a few eyebrows when she revealed her colleagues don’t go online often and don’t even use email. The Supreme Court—the same body that needs to decide what the National Security Agency can and cannot look at without a warrant—is still typewriting memos on paper and having aides carry them from office to office.
It is true that one does not have to be a daily user of the such new-fangled technology to understand how the law applies to it. The Supreme Court was rightfully lauded last year for its ruling against warrantless searches of cell phones by police, in which Chief Justice John Roberts declared cell phones to carry more private data than even a household. “A phone not only contains in digital form many sensitive records previously found in the home,” wrote Roberts, “it also contains a broad array of private information never found in a home in any form.”
But the question remains whether courts and police can keep up with technology as it changes—and as more generations grow up with it. To Domanik Green and his friends, accessing their teacher’s login was so easy it likely felt like nothing but the simple joke it was meant to be. To an undereducated police force and naïve school faculty, they likely looked like highly trained hackers capable of anything. While Green was using an administrative login without permission, anyone who understands what he did could never justly throw him in prison for a decade.
As technology increasingly dominates so much of our lives, properly educated law enforcement has never been more important.
Gillian Branstetter is a social commentator with a focus on the intersection of technology, security, and politics. Her work has appeared in the Washington Post, Business Insider, Salon, the Week, and xoJane. She attended Pennsylvania State University. Follow her on Twitter @GillBranstetter.
Photo via WestMidlandsPolice/Flickr (CC BY SA 2.0)