In an unprecedented move earlier this week, President Obama signed a new executive order directing the US government to impose sanctions on foreign hackers as part of a "national emergency." Basically, foreign hackers like those in China's elite cyber army can now be treated like terrorists and drug lords when it comes to their money and assets on American soil.
But the order's scope is incredibly broad, leading many to wonder whether it could target whistleblowers like Edward Snowden, journalists publishing leaks, and other rabble-rousers the US government generally doesn't like.
Even worse, a thread posted to several Reddit boards claims, the US might now be able to seize the assets of anyone who donates to Snowden.
That doesn't seem very likely—at least not right now. But Obama's mandate is indeed quite vague about who it can punish and for what kinds of "cyber" conduct.
The executive order (which is made under the International Emergency Economic Powers Act) directs the Department of the Treasury to sanction anyone outside the US "directly or indirectly" involved in "cyber-enabled activities … that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States."
Among other things, it includes those "causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain," and anyone receiving or benefiting from "trade secrets misappropriated through cyber-enabled means."
There's also a section allowing the government to seize assets from anyone who provides material support to a nation or individual sanctioned under the order. The order includes anyone making donations to a person whose "property and interests in property are blocked pursuant to this order who might have a constitutional presence in the United States."
There, the Reddit denizens say, Snowden seems like he could fit the bill.
"I donated to Snowden today … Please come arrest me," wrote Reddit user KayRice on the site's Bitcoin board, posting his real name, phone number and state of residence. Later, Snowden's legal fund experienced a slight surge in bitcoin donations as users engaged in an "I am Spartacus" type show of solidarity.
But even supposing Snowden can get sanctioned under the order, it would require a decision from the Secretary of the Treasury and the Attorney General. So far, the only hacking-related sanctions the US has imposed have been on North Korean officials for their alleged role in the hack of Sony Pictures last December.
A more pressing concern is how the President's executive order may impact security research
Kurt Opsahl, General Counsel for the Electronic Frontier Foundation, says the case for sanctioning Snowden under the order would be a stretch.
"They would need to construe giving documents to a reporter in Hong Kong as essentially a 'cyber-enabled' attack on 'the provision of services by one or more entities in a critical infrastructure sector' that was 'originating' in China," he told Motherboard. "There are already laws regarding aiding a fugitive. Occam's razor suggests that the government would just use existing law rather than working out a new justification under the [Executive Order]."
A spokesperson from the US Treasury Department said it "can't comment on specific cases or possible future action," and referred me totheir sanctions FAQ.
Civil liberties groups are still looking over the text, but so far their concerns about the order lie elsewhere.
"We're still digesting the full order, but we've got a few initial questions already," said Opsahl. "One is whether this order could have unintended negative effects on critical security research. For example, could the executive order be used to issue sanctions, without due process, against security researchers who make or distribute penetration testing tools?" In other words: could the government say that the makers of software like Metasploit, a widely-used tool for testing application security, are aiding foreign hackers?
Others have noted it could be used against a security researcher who warns the public about computer vulnerabilities that a vendor ignores or refuses to fix. That tends to happen when researchers find embarrassing so-called "0-day bugs"—vulnerabilities that companies are not aware of—in commercial software.
"The tools that could be used for attacks are also vital for defense, and security researchers who use them should not have to worry that they may face sanctions from the Secretary of the Treasury," Opsahl added.
As far as donating to Snowden's Bitcoin cache, you probably don't need to worry about your door getting kicked down just yet.