The FBI and Justice Department are investigating whether St. Louis Cardinals employees illegally hacked into networks owned and operated by the Houston Astros, The New York Times reported Tuesday.
The hack involves a database -- built by Astros general manager Jeff Luhnow, who worked for the Cardinals until 2011 -- that contained information about potential trades, player evaluations, and statistics. Investigators believe the Cardinals feared that Luhnow may have taken their proprietary information with him to Houston.
The case, believed to be the first corporate espionage case involving two professional sports teams, sparked rounds of social media schadenfreude and calls for harsh punishments from Major League Baseball. But it also has significance outside of the realm of sports: it rests on a piece of computer technology law that has been a source of major controversy since the death of internet hacktivist and Reddit co-creator Aaron Swartz two years ago.
As HardballTalk’s Craig Calcaterra noted Tuesday, the investigation into the Cardinals hinges on the Computer Fraud and Abuse Act, approved in 1986 to govern computer hacking and fraud. The law prohibits anyone from “knowingly” accessing “a protected computer without authorization,” and it was at the center of a high-profile case involving Swartz, who was arrested on federal hacking charges in 2011 amid allegations that he illegally obtained millions of files from a computer database at the Massachusetts Institute of Technology.
Swartz killed himself in April 2013. At the time, he was facing the possibility of $1 million in fines and up to 35 years in federal prison.
His death reinvigorated calls to reform the CFAA, as privacy and online advocacy groups have argued that the “without authorization” provision is too broad and the penalties too harsh given the growth of the Internet over the past three decades. The New Yorker called the act “the worst law in technology,” while advocacy organizations, like the Electronic Frontier Foundation, have proposed model legislative reforms aimed at reducing the CFAA’s focus on small-time hacking. Groups from across the political spectrum, including the ACLU and FreedomWorks, signed onto calls for reform.
The same year, Sen. Ron Wyden (D-Ore.) and Rep. Zoe Lofgren (D-Calif.) introduced legislation, dubbed Aaron’s Law, to refocus the CFAA on “truly malicious attackers” rather than on instances that violated terms of service agreements but weren’t necessarily meant to cause harm.
The legislation, which also had the support of Sen. Rand Paul (R-Ky.), never received a vote in committee. Critics of the proposal argued that it would effectively gut the CFAA's ability to prosecute hacks or the theft of corporate business information. Lofgren and Wyden re-introduced Aaron’s Law in April of this year.
Lofgren's office would not comment without full details of the investigation, but the Cardinals’ case is likely an example of the type of hacking that would remain a priority even under the proposed reforms. Lofgren and Wyden have stressed that their bill would reduce the law's focus on “everyday internet activity” while still allowing prosecution of actual “hack attacks.” Even if the Cardinals breach was, as the Times reported, an unsophisticated effort, the circumvention of password requirements is still a prosecutable offense under Wyden and Lofgren’s bill.
For now, experts have speculated that the potential violations of the CFAA could lead to prison terms if any Cardinals employees are found guilty of hacking into the Astros' systems.