Hyperlinking Isn't Illegal: The Bulk of Barrett Brown's Charges Were Dropped

Today federal prosecutors requested that the main charge in Barrett Brown's case—which stemmed from the pasting of a hyperlink containing leaked credit card data from the Statfor hack—be dismissed, along with 10 other charges. The motion to dismiss filed by prosecutors is a big victory for Brown, who was facing more than a century in prison, as well as advocates of information freedom and journalists.

The biggest concern all along has been that if Brown were convicted of sharing a hyperlink, it might well dissuade journalists and bloggers (or anyone else, really) from undertaking similar actions in their work. With that now derailed, the case now stands as good precedent that sharing a link to freely available information as part of a journalistic investigation is not an illegal act.

To briefly recap the case, Brown originally copied and pasted the Stratfor hyperlink from #AnonOps IRC (Internet Relay Chat) to #ProjectPM IRC (a relay under Brown's control) as part of ProjectPM, the imprisoned journalist's effort to unmask the cyber-spy-industrial complex. The leaked data included the email addresses of 860,000 Stratfor subscribers, but also 60,000 credit card details. This data was already available to the public when Brown pasted it to his IRC, though that didn't stop the Department of Justice, from claiming Brown's actions were illegal because of they made the information more public.

The wisdom of pasting a hyperlink of stolen credit card information into an IRC is worth a debate, but there is no indication that Brown carried it out with any intent to defraud card holders. Instead, Brown's ProjectPM team routinely scoured troves of both leaked and public documents to illuminate the threads connecting US spy bureaus, private intelligence firms (like Stratfor), programs like TrapWire, Silicon Valley data analytics firms like Palantir, as well as banks, venture capitalists and angel investors like Peter Thiel, and other intelligence contractors.

In short, Brown occupied himself with some of the same work that Edward Snowden would later pursue with his massive NSA leaks.

While prosecutors did not lay out their rationale in their motion to dismiss 11 of 12 charges facing Brown, Brown's legal team emphasized these ProjectPM objectives in its own 43-page motion. In it, Brown's lawyers argued that the government had failed to allege an offense (based on legal definitions of "authentication feature" and "transfer"); penalized Brown for conduct protected under the First Amendment (pasting the hyperlink); and prosecuted him under Section 1028 and 1028A of US code of law, which is "constitutionally vague and overbroad" relative to Brown's hyperlinking.

The last point is critical. As Brown's attorneys wrote in the motion, "A person of ordinary intelligence would have no meaningful notice as to whether it was a crime to knowingly possess or transfer an item that satisfies all the requirements of an authentication feature but is not issued by a government entity." (An authentication feature is a hologram, symbol, code, etc., issued by a government entity.) The credit cards at issue in the hyperlink were issued by private entities, not a government, making it unlikely that the transfer of authentication features charge would have held up in court.

Now that the hyperlink charge has been dismissed, journalists can rest easier knowing that cutting and pasting leaked documents won't land them a lengthy prison term, and the case lends weight to the argument that hyperlinking is an act of free speech. Another point worth highlighting in Brown's motion to dismiss is that even if the law were precise in its fair warning language (as to the transfer of authentication features), to prosecute on this basis would still suppress protected speech.

The decision to drop the case also appears to settle (for now) the question of whether or not journalists like Brown—as noted in the motion to dismiss—run afoul of the law in undertaking press activities such as "newsgathering and research (e.g. by downloading content from a public website), or verification of sources (e.g. by reading that content)." If this were illegal, then journalists might not be able to verify sources and determine fact from fiction, an integral part of the job.

It's also worth noting a section in Brown's motion to dismiss that deals with the chilling effect that the hyperlink charges might have had on cybersecurity research, which also requires dealing with hacked data:

Private security researchers are often depended on by companies like Stratfor to conduct unsolicited forensic analysis of data dumps in order to find out who conducted the hacks and how future attacks can be avoided. [See Nicole Perlroth, reporting from the Web’s Underbelly, NY TIMES, Feb 16, 2014.] In doing so, these security  researchers (many of whom analyzed the Stratfor hack) knowingly transfer hacked data onto their systems.

Still, the ruling doesn't negate the enormous legal ordeal Brown has faced—he spent more than a year in jail, not to mention legal fees and a government gag order—which is a chilling effect of its own.

The government's case leaned heavily on charges relating to the credit card data, and if there is a larger lesson to be learned here, it might be that individuals probably shouldn't post hyperlinks containing credit card information. Yet while credit card information is pretty universally understood to be sensitive information, such a distinction isn't always so clear.