U.S. Admits Convicted Man Is No Hacker
Federal prosecutors this week abruptly changed the label they had hung next to Bret McDanel’s name, turning him from criminal hacker into innocent whistle-blower.
In an extraordinary reversal approved by top Justice Department officials, the U.S. attorney’s office in Los Angeles on Tuesday asked a federal appeals court to strike down a conviction it won last year against McDanel.
McDanel’s crime: warning customers of an e-mail company he once worked for about a flaw that could let other people read their messages.
Online rights activists hailed the Justice Department move as a rare piece of good news in the escalating fight between free speech and technological security.
McDanel, 30, said Wednesday that he wished the about-face had come earlier.
He spent 16 months behind bars before and during his trial. His fiancee left him, his two cats had to be boarded with his parents and his reputation was trashed.
Even now, McDanel said his future was uncertain.
“I don’t think my name can ever truly be cleared. If you type my name into Google, you will come up with tons of articles about what a bad person I am,” McDanel said from his parents’ house in rural Fiddletown, Calif., east of Sacramento. “If an employer were to search for my name, they’re going to find a bunch of other people who know nothing about the case commenting on it.”
McDanel’s journey from computer guru to Metropolitan Detention Center inmate and back started with his amateur interest in security issues. Like many a young hacker, he began investigating holes in software and posting his findings to online discussion groups in 1994.
After attending community college in New Jersey, McDanel held a series of technology jobs. His wanderings took him to El Segundo-based Tornado Development Inc., where he headed security efforts. The firm, now defunct, offered a service that let customers retrieve their e-mail, voicemail and faxes through a Web site.
McDanel quit to go into business with his fiancee in 2000. Eight months later, he discovered that a security problem he had complained about while at Tornado had never been fixed. The bug could have allowed any of Tornado’s users to view each other’s mail.
After checking with Tornado and learning that the company had no plans to correct the situation, McDanel warned his old friends there that he would take matters into his own hands.
He sent automatic e-mails to every Tornado client he could reach, issuing more than six a second in short bursts, telling them their information wasn’t secure and directing them to a Web site on which he had posted details of the flaw.
In the ensuing uproar, Tornado repaired the defect.
McDanel thought the matter was done until he got a visit from the FBI.
“I had been reading up on the law for a great many years, and I believed everything I was doing was perfectly legal,” McDanel said. “I didn’t think sending e-mail and putting up a Web page would land me in jail.”
At the time, investigators with the major frauds section of the U.S. attorney’s office disagreed. They seized his fiancee’s computers, forcing her to shut down. And they hauled McDanel into court for allegedly violating the Computer Fraud and Abuse Act, one of the nation’s principal anti-hacking laws.
The law prohibits attacks that impair the “integrity” of a computer system. The prosectors convinced a judge at the trial that simply by telling people how the Tornado software could be compromised, McDanel had harmed the system’s integrity.
After his arrest, McDanel posted bail but was taken back into custody after he used a computer to look for work. The terms of his bail prohibited him from unauthorized use of a computer.
McDanel spent hours in jail researching the law. He said the worst period of his incarceration was during the nonjury trial, when jailhouse clamor kept him from falling asleep before 11 p.m. He was rousted at 4:30 a.m. to wait for each day’s proceedings.
Since his release, McDanel has rejoined his two cats in the temporary care of his parents. Needing permission to use a computer on any job, his only employment has been as a ski instructor, earning $80 a week.
He has also been working on a book about non-Internet threats to computer security.
After McDanel’s appellate attorney, Jennifer Granick of Stanford University, filed her appeal of McDanel’s conviction with the San Francisco-based U.S. 9th Circuit Court of Appeals, the U.S. attorney’s appeals unit revisited the case.
“Defendant’s release of vulnerability information did not by itself cause an ‘impairment to the integrity of a computer system,’ ” wrote Assistant U.S. Atty. Ronald Cheng. “It is on this principle that the government confesses error in this case.”
U.S. attorney’s office spokesman Thom Mrozek said he didn’t know of another spontaneous motion to set aside a federal conviction in his seven years on the job.
Mrozek said he didn’t know whether the government would apologize.
“While Bret unfortunately already served his time in prison, by pursuing this appeal he’s demonstrated that people have the right to tell the truth about when a computer is insecure,” said Granick, who took the case pro bono after McDanel contacted her.
Stanford cyber-law expert Larry Lessig said McDanel’s case was the most extreme instance he knew of a prosecution involving truthful speech about security, though there are fears that the controversial Digital Millennium Copyright Act may also be applied with such force.
“Because the guy was doing something with computers, all rational thought got turned off,” Lessig said.
McDanel said his sense of personal relief didn’t reestablish whatever faith he had in the government.
“More civil liberties are given up every day. It’s going to continue to get worse until people say enough,” McDanel said, then paused. “But then, I’m rather cynical.”