There are many pages in the Mueller report. This is a story about what happens on one of the pages.
On page 59 of the report, Mueller describes interactions that Donald Trump Jr., the president’s son, had with WikiLeaks, the organization that helped disseminate the hacked DNC emails. WikiLeaks had been passed the log-in credentials for the website putintrump.org, a website set up by a PAC linking the president to Russia.
According to the report, a few hours after that tweet, WikiLeaks messaged Trump Jr.: “A PAC run anti-Trump site putintrump.org is about to launch. The PAC is a recycled pro-Iraq war PAC. We have guessed the password. It is ‘putintrump.’ See ‘About’ for who is behind it. Any comments?”
Several hours after that, according to Mueller’s report, Trump Jr. sent the following message to “a variety of senior campaign staff”:
Guys I got a weird Twitter DM from wikileaks. See below. I tried the password and it works and the about section they reference contains the next pic in terms of who is behind it. Not sure if this is anything but it seems like it’s really wikileaks asking me as I follow them and it is a DM. Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it’s a fully built out page claiming to be a PAC let me know your thoughts and if we want to look into it.
The red flag that sticks out is the part where Trump Jr. writes, “I tried the password and it works.” As far as my understanding of cybercrime law goes, this act, even on its own, could be construed as criminal. (Not that it really matters or that I care if the guy goes to jail or whatever. In fact, he shouldn’t. I’m really just trying to convey to you how stupid the laws on this subject are.)
Much of U.S. cybercrime law remains governed by an archaic piece of legislation called the Computer Fraud and Abuse Act, which basically makes it illegal to gain unauthorized access to a protected computer system. That’s about as specific as it gets. If you access a computer you weren’t supposed to, you broke the law. In 2016, for instance, journalist Matthew Keys was sentenced to two years in prison for passing along log-in info for a website, which was lightly vandalized for less than an hour. The law is in serious need of reform.
You can see why this is, in 2019, complicated. If someone gives you their Netflix log-in, they might be authorizing your access, but Netflix is not. Theoretically, sharing the log-in with a friend is illegal, even if they don’t use it. Another part of the law also concerns “damage and loss” caused by the unauthorized access. Again, the law is vague, so damage could mean deleting information from the system, and loss might mean costing the hacked party money by making them pay for security audits and upgrades.
All of this is a roundabout way of saying that if someone sends you a password, and you try it out just to see if it works, prosecutors can make a very easy case that you broke the law. Some could say that it’s analogous to someone handing you a key to a house and you breaking in just to see if it works. If you are, I dunno, working on a high-profile presidential campaign and someone from WikiLeaks hands you log-in credentials, maybe don’t use them! Just my two cents.
