Is it a crime for someone simply to share a link to stolen information? That seems to be the message conveyed by today's indictment of former Anonymous spokesman Barrett Brown, over a massive hack of the private security firm Stratfor. Brown's in legal trouble for copying and pasting a link from one chat room to another. This is scary to anyone who ever links to anything.
In December 2011, Stratfor was hacked by Anonymous. Thousands of their internal emails were given to Wikileaks, which has been publishing them ever since. The credit card information of many Stratfor customers and employees was stolen and released on the internet as well, where it was used by fraudsters to make illicit purchase. Six men have already been arrested for the hack. But today it was revealed that Brown, who frequently spoke for Anonymous and was writing a book about the group, has also been hit with 12 charges relating to identity theft and fraud over the hack. Brown is already in a Texas prison, arrested in September for threatening an FBI agent.
What was Brown's crime in the Stratfor case? The first charge, which is also the most unusual, was for sharing a link in a private chat room which led to a list of hacked credit card numbers. This charge does not allege Brown actually had the credit card numbers on his computer or even created the link: He just allegedly copied a link to a publicly-accessible file with the numbers from one chat room and pasted it into another. (The other 11 counts in the indictment do involve Brown actually possessing stolen information.)
According to a press release posted by the Dallas Morning News News (emphasis mine):
Count One of the most recent indictment alleges that on approximately December 25, 2011, Barrett, aided and abetted by others, knowingly trafficked in more than five authentication features, knowing that such features were stolen and produced without lawful authority. According to the indictment, Brown transferred a hyperlink from an Internet Relay Chat (IRC) channel to an IRC channel under his control. That hyperlink provided access to data stolen from the company Stratfor Global Intelligence (Stratfor), which included more than 5,000 credit card account numbers, the card holders' identification information and the authentication features for the credit cards, known as the Card Verification Values (CVV). By transferring and posting the hyperlink, Brown caused the data to be made available to other persons online, without the knowledge and authorization of Stratfor and the card holders.
As a journalist who covers hackers and has "transferred and posted" many links to data stolen by hackers—in order to put them in stories about the hacks—this indictment is frightening because it seems to criminalize linking. Does this mean if a hacker posts a list of stolen passwords and usernames to Pastebin, the popular document-sharing site, and I link to them in a story or tweet I could be charged with "trafficking in stolen authentication features," as Brown has been? (I wouldn't typically do this, but I've seen plenty of other bloggers and journalists who have.) Links to the credit card number list were widely shared on Twitter in the wake of the Stratfor hack—are all the people who tweeted links going to be rounded up and arrested, too?