If you call yourself a hacker, does that automatically imply you have criminal intent? Although that’s clearly ludicrous, the U.S. District Court for the District of Idaho decided that a self-described label of “hacker” is significant enough to be used as evidence for bad intentions. Furthermore, the Court decided that since the defendant called himself a hacker, that was evidence enough to allow for seizure, via the copying of a hard drive, even though the Court said that such copying “is a serious invasion of privacy.”
Of course it’s more complicated than that, but basically Battelle Energy Alliance, which manages national laboratories like Idaho National Laboratory (INL), brought a suit against an ex-INL employee, Corey Thuen, and his company Southfork Security. “It began with the US Department of Energy funding an effort for INL to develop ‘a computer program aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks’,” explained Digital Bond. “Corey Thuen was one of the developers of this software program that was later called Sophia.” After Thuen left INL, Southfork Security “wrote a similar ‘situational awareness’ program called Visdom” and Battelle claims the code was stolen.
That’s the general gist, so let’s get to the Battelle v. Southfork Order in which the Court seemed to have ruled from a slippery slope. It was done in secret, or more precisely, it was done without notifying Corey Thuen. Chief Judge B. Lynn Winmill wrote:
Battelle's employee Michael Colson, who has “23 years of experience as an investigator for government and private entities,” testified about people deleting data in the face of an investigation. Okay, agreed; if a person, be it a hacker or a porn addict, were truly involved with illegal activities, then he or she would burn their box immediately if given advance notice that Johnny Law was on his way over to check out the PC. My gripe comes with Colson’s testimony of, “This is particularly so in regards to those with technical skills to wipe the data in a way which does not leave digital footprints.”
But it doesn’t take advanced “technical skills” to reformat, or zero fill, a hard drive. There are a plethora of programs that have been around for years, such as the old school Darik's Boot and Nuke (DBAN), and even hard drive manufacturers have software to zero-fill their drives. Although there are sometimes still debates about one pass to overwrite the drive with 1’s and 0’s or Gutman’s 35 passes, zero-filling a hard drive is not rocket science; it just takes longer than a regular reformat.
Thuen wanted to open source the “Sophia” technology, but Battelle wanted to license it. After Thuen left INL, Southfork Security wrote Visdom. Battelle claimed the code was stolen and “releasing Sophia open-source has national security implications;” it would be like giving “away the keys to Sophia . . . to the very attackers Sophia is meant to thwart’.”
The court document, dated October 15, 2013, talks about the “intend to release Visdom as an ‘open-source’ product ‘shortly’," so let’s step on the brakes and surf over to GitHub. Corey Thuen, "remasis," posted Visdom “initial commit” logs seven months ago and updated the ReadMe three months ago. The SouthFork Security website states, “Visdom is an open-source situational awareness tool (initial source release will be with first stable version).” The site also states, "No, we didn't steal government code and then open-source it."
Digital Bond claimed “call yourself a hacker, lose your Fourth Amendment rights,” but as law student Michael “theprez98” Schearer pointed out, “This case has zero, zilch, squat, nothing, to do with the Fourth Amendment (or the Fifth Amendment, given the property issues). This case is about a temporary restraining order between two private parties. The Fourth Amendment's prohibition on unreasonable searches and seizures only applies to ‘state action.’ There is simply no state action here.”
The judge was seemingly influenced by the book Hacking for Lulz, where the word “hacker” should be replaced with “cybercriminal.” If a “hacker” is protecting critical energy infrastructure, that’s nowhere close to the same thing as a “cracker” or “black hat” with malicious intent.
In case you don’t know, CISPA is back on the table. Security researchers worry about laws being passed that could “outlaw” hacking tools and potentially make security research illegal. But you should also be disturbed by a court ruling about the self-described label of "hacker" implying bad intentions; it, too, has far-reaching implications. “So, capability equals intent?” asked Steve Parker. “I’m calling the Office of Pre-Crime. I have lots of people to report.”