Developer’s computer seized because he called himself a hacker

library
crime | hacking | security

The US government is a little spooked by hacking.

That was evidenced last week when a US government contractor asked for, and was given, an order that allowed it to knock on an ex-employee’s door and seize his hard drive without warning, largely because the ex-employee started a new software company whose site said “We like hacking things and we don’t want to stop.”

The court said that it ordered Corey Thuen’s computer to be seized without warning because his background as a self-professed hacker made it likely that he would delete evidence in an intellectual property case.

From the court order, published 15 October:

The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy…

The tipping point for the Court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act.

The history of the seizure starts at the Idaho National Laboratory (INL), a federal governmental facility owned by the US Department of Energy.

Battelle Energy Alliance, the management and operating contractor for INL, brought suit against ex-INL employee Thuen and Southfork Security, the company that he created after leaving Battelle.

The US Department of Energy had funded INL in order to develop “a computer program aimed at protecting the United States’ critical energy infrastructure (oil, gas, chemical and electrical companies) from cyber attacks.”

Thuen was one of the developers of this software program, which came to be known as “Sophia” – a reference to the Greek goddess of wisdom.

After Battelle tested Sophia in 2012, the company learned that electric utility companies were interested in getting their hands on a commercial version, but they wanted that version to come in open-source form.

Battelle wasn’t up for making the source code available, so instead it began a bidding process to let commercial software and network security firms compete for the right to exclusively license Sophia.

Southfork Security was one of eight companies that showed interest.

Thuen, who, the suit says, was pushing for Sophia to be open source, had created Southfork for the purpose of bidding on the software. Southfork submitted a licensing proposal for the software in February 2013.

A few months later, Southfork withdrew from the bidding.

Thuen wound up creating his own program, called Visdom.

The suit alleges that Thuen stole the code for Sophia in order to cook his own program.

TechDirt reports that Andreas Schou, who describes Thuen as a friend and former client, shed light on this case in a Google+ post.

In the post, Schou said that on 16 October, Thuen got a panicked call from his wife, who was being held out on the lawn by Battelle’s lawyers as they tried to call the sheriff in to, presumably, break down Thuen’s door.

Schou’s first thought, he writes, is that it was a mistake, given that Thuen has worked for the government his entire career, at the FBI and as a security researcher specializing in SCADA systems, cyberterrorism, and critical infrastructure, and that he’s accused of open-sourcing a harmless software program:

He’s a straight-laced, church-attending guy with three kids and an admittedly strange job.

And here’s what he’s been accused of: threatening national security by open-sourcing a network visualization and whitelisting tool.

TechDirt’s Tim Cushing writes that Judge B. Lynn Winmill apparently swallowed Battelle’s arguments “almost in their entirety”.

Those arguments, from Battelle’s original complaint, claim copyright infringement, citing Thuen’s software, Visdom, as resembling Sophia.

What Battelle put forth as evidence:

Thuen worked on Sophia and had access to the code.
Visdom’s name is remarkably similar to Sophia (which, again, derives from the Greek goddess of wisdom).
Thuen couldn’t have created his own program so fast without copying substantial amounts of Sophia’s code.

If Battelle had done their due diligence, Schou writes, they’d have checked GitHub, found that Thuen’s open-source project is built in a different language than Sophia, with the use of open libraries, would have been able to check to see when the code had been written, and thus “wouldn’t have sued to begin with.”

(Note that Schou includes a disclaimer: he’s “represented Southfork in the past, and with respect to some peripherally related matters, but do not represent them with respect to this matter.” Nor does he hold equitable interest in the company, and nor is he a creditor.)

The media has been playing up this case as it pertains to rights against unreasonable search, as described in the Fourth Amendment to the US Constitution, but some have disputed that aspect.

One commenter on DigitalBond’s coverage, Paul E. “Marbux” Merrell, J.D., maintains that copyright law is more relevant:

I agree that the 4th Amendment is not in play here. The relevant law is the copyright statute and Fed.R.Civ.P. 65.

A temporary restraining order (“TRO”) in a civil case between private parties where no government search or seizure is involved does not present 4th Amendment issues.

I’ll observe as a retired lawyer with lots of years spent in federal court cases that the judge’s order is staggeringly weak, with the reliance on the “hacker” admission by the defendants on their web site only one facet of a very weak argument by the Court.

Most glaringly, the judge’s order prohibits the defendants from publishing their program, which raises an enormous “prior restraint” 1st Amendment issue that the Court does not address (and that the plaintiff’s lawyers apparently did not address as well).

Beyond Fourth vs. First Amendment issues, at the heart of the matter, of course, is the definition of the term “hacker”.

As Wikipedia notes, others have pointed out and technically-minded people are quick to explain, the term has multiple meanings:

Hacker (computer security) someone who accesses a computer system by circumventing its security system
Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment
Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities

As many have pointed out, it seems that the court has interpreted the term, as the media often does, using only its criminal meaning.

Perhaps, on appeal, it will be made clear that having the skills necessary to commit computer crime and copyright infringement does not mean that a programmer is destined to destroy evidence in some preordained, genetically mapped-out path to malfeasance.