Journalists are trained to check their sources, but what if that means digging around the web for stolen goods? Bob speaks with security journalist Quinn Norton about how the recent case of writer Barrett Brown, who received a lengthy sentence for "linking to hacked material," could make a security journalist who checks her sources a criminal.
BOB: Journalist and activist Barrett Brown was sentenced to 63 months in federal prison last week. That’s nearly three years on top of the two and a half years he’s already served awaiting trial. Brown pled guilty to three charges of threatening an FBI agent, hiding his computer during a search of his home, and being quote, “an accessory after the fact in the unauthorized access to a protected computer.”
All the charges stem from an investigation into the 2011 hacking of the private intelligence firm Stratfor by an affiliate of Anonymous, the shadowy group known for sowing mayhem across the Internet.
Fourteen other charges against Brown were dropped. But at his sentencing hearing, one dismissed charge was resurrected as quote “relevant conduct” to be considered in his sentencing. It was for posting a link, from one chat room to another, to documents stolen from Stratfor and dumped online. This development has rattled Quinn Norton, a freelance security journalist, because she was sifting through those same documents at the same time as Brown, while reporting on the hack.
QUINN NORTON: Well this was a pretty crazy day. I was kind of present for all of this, Anonymous gave me an exclusive, I was with Wired at the time. They were posting an archive of credit cards into a public chat area, and Barrett was in that channel, as was I, as was a number of other journalists. He saw the link that went to several thousand credit card numbers. And he posted it into another chat asking what this was.
BOB: So the original charges concerning the link were dropped, but the judge referred to it in sentencing, and apparently heaped on extra prison time for aggravated circumstances. Is that what happened?
NORTON: Yup. One of the things that the judge said was that Barrett Brown was more involved than he wanted the court to believe. Posting the link was seen as participating in the crime.
BOB: Now this is all very murky because Brown isn't only a third party journalist covering these issues, but has been, at least intermittently, very much of Anonymous. So the judge wasn't talking out of his hat.
NORTON: No. It was always kind of unclear where he was at any given time. Partly, that has to do with the culture. Its a tough story that way. And its one of the reasons there weren't a lot of journalists that were kind of regularly deep in on that beat because you've got a crowd of people that are constantly lying to you - that’s actually their thing - and sometimes when you’re even writing on Anonymous its hard to figure out where the line of participation to observation begins and ends,.
BOB: if the very act of linking to leaked documents constitutes a crime or something that can earn you extra jail time, can you go about your business?
NORTON: Well, the position it puts journalists in is that you can print the claims of someone but you can’t check those claims. We have case law in America protecting journalists receiving illegally obtained information and reporting on it. But it's physical. If I walk in and hand you tapes, you can do anything you want with those tapes no matter how I got them. But if I give you digital resources, the law is much less clear on what point you’re breaking into the house versus you’re receiving something else. In security research and security journalism, you will end up finding these caches, being handed these caches, and they provide context for how this data was breached, where it was breached from, but if you don't look at it, you can get that story wrong. And that's why we have to look.
BOB: Give me a for instance about what you do as a routine part of your reporting that could put you at risk in the legal environment of the Barrett Brown case.
NORTON: So if somebody said to me, "Oh, we hacked Strategicforces.com" or something like that, I’d be like, "Ok, did you?" And one of the techniques that people use to get media attention is they can go to a black market site and pay a few hundred dollars or some bitcoins and get a cache of credit cards that's being passed around on the computer underground. And they can turn that over and say ‘This is what we hacked from these people.’ And of course what they’re doing there is they are trying to get me to say that they’ve done something that they haven’t done.
BOB: They’ve committed a crime, but not the one that they’re bragging about.
NORTON: You’ve got it exactly right. So then they hand me a sample of the credit card database and I would look at it to see if its actually the kind of thing that I would expect. At one point I received a credit card archive where Diners Club was misspelled. Which was a hint that maybe it wasn’t a valid one. [Laughs] And often there will be tells like that. So yeah, they’ll give me a sample, and usually they’ll give me what’s called a hack-log, which kind of records the steps they took and I’ll pass that and the sample of the data over to somebody who’s an expert if I can’t follow it. It doesn’t mean that we can’t be fooled at all but it's a lot harder once we’ve verified that it all looks like what it should look like. And since I did a lot of that work, I’ve actually stepped back and I spend a lot more time trying to educate journalists. Because we get a lot of stories out there that are factually or technically wrong or just kind of incoherent.
BOB: Because computer security journalism, you believe, like computer security itself, is pretty much rubbish.
NORTON: Well I want to say that there’s some really good people out there, but right now there’s a lot of news organizations doing the equivalent of sending someone to cover Congress without ever asking them to learn how laws get passed. So I’m trying to help.
BOB: But its hard for you to help, because now you are limited by this possible legal precedent in federal court to what you can do to verify stories. What does the public lose if you can't do due diligence on the stories that you’re covering?
NORtON: They lose a major part of the context of where their lives are increasingly lived. If I can't go through and look at the material people have hacked and figure out how to tell the story of what happened, they don't know the point where their naked selfies are on the cloud and vulnerable. And that's something that can kind of get down to affecting a lot of people.
BOB: Alright, so now what?
NORTON: So now, I think that journalists and security researchers are in a good position to go back to Congress - and I know Congress is dysfunctional - but at least start the conversation. And I know that means an over-60 crowd is going to have to learn how packet-switching works or at least their staffers are, but -- everything we do is going over the Internet.
BOB: In the US Senate, the more moderate of the two houses of congress, 49 senators deny man's role in global climate change. How confident are you that they’re going to understand the world of packets?
NORTON: [Laughs] Well, you know - we need laws that clarify. The only institution that can in our system address this problem is the legislative branch.
BOB: Quinn, thank you.
NORTON: Thank you.
BOB: Quinn Norton is a freelance journalist focusing on digital security, hacking and protest movements.