Federal prosecutor Wesley Hsu has been working cybercrime cases for over a decade. Chief of the cyber crime unit at the U.S. Attorneys’ Office in Los Angeles, his initial focus was on helping Hollywood protect its intellectual property and getting justice for companies that had been hacked by ex-employees. But in the last few years, his focus has shifted to a new area: helping stars protect their sexual property. His efforts aren’t limited to celebs. His team of prosecutors have gone after hackers of the hoi polloi as well, with an emphasis on cases that involve the exposure of scandalous selfies and sextortion. They call the crimes “emotional hacking” and the men responsible “cyber terrorists.”
“It’s such a shift as a prosecutor,” says Hsu. “Before, the victim was Visa. Now it’s harmed young women and teen girls.”
The list of men the L.A. DOJ unit has sent to prison over crimes involving nude photos is impressively long: two and a half years for Michael David Barrett who made a nude video of ESPN reporter Erin Andrews through a hotel peephole; four years for Christopher Osinger who stalked his girlfriend and created a Facebook account for her that featured her nude photos; 10 years for Christopher Chaney who hacked into the email accounts of Scarlett Johansson, Christina Alguilera and Renee Olstead, among other celebs, to unearth scandalous photos; six years for Luis Mijangos, a paraplegic sextortionist who hacked into teen girls’ computers and blackmailed them using their own pornographic photos; three and a half years for Tyler Schrier who stole naked photos from the email accounts of male professional poker players in order to extort them for hundreds of thousands of dollars; and five years for Karen “Gary” Kazaryan who hacked into hundreds of women’s accounts and had thousands of nude images on his computer, so many that law enforcement was unable to identify all of the victims. The office is currently pursuing a case against IsAnyoneUp’s Hunter Moore, the infamous purveyor of revenge porn. While it’s not illegal to operate a revenge porn site — “a big hole in the law,” says Hsu — prosecutors allege Moore paid a hacker to obtain photos of men and women so he could post them to his now-defunct site alongside screenshots of their Facebook profiles.
“There are so many ways to victimize women on the Internet,” says Stephanie Christensen, a prosecutor in the Mijangos case. “The Internet has given predators machine guns that never run out. They can inflict so much damage on their victims which just wasn’t possible before.”
Hsu says he started seeing “emotional hacking” cases come across his desk only in the last few years. There are more nude photos around to get hacked than ever, with ‘sexting’ on the rise according to Pew Research Center; 9 percent of people admitted to Pew that they’ve sent nude photos to someone else, while 20 percent say they’ve received nude shots. Hsu, a slight man with short black hair and wire glasses, has a spacious office on an upper floor of the federal courthouse in downtown Los Angeles which feels crowded thanks to numerous stacks of case files on tables and the floor. Behind his desk is a framed ‘Buffy the Vampire Slayer’ poster, and next to it a photo of Buffy star Sarah Michelle Gellar, inscribed, “Keep beating the real bad guys.” He also has posters of Michelangelo’s Sistine Chapel — “Judgement day is appropriate,” he explains — and a photo of a man standing in front of a tank bound for Tiananmen Square. “It’s the power of one person to save others he doesn’t even know,” says Hsu. Growing up in Orange County, he decided he wanted to be a prosecutor in high school after his parents were hit by a drunk driver while crossing a street. His father suffered a broken rib and his mother went into a coma that lasted for two and a half months. “The guy who hit them got 8 months,” says Hsu. “I felt like I could have done better.” After undergrad and law school at Yale, he clerked for a California district judge with an interest in patent law and then spent three years in private practice at Gibson, Dunn and Crutcher, working intellectual property (IP) and patent cases. He fulfilled his teen vow in 2000, joining the U.S. Attorney’s Office. In 2001, it was one of the first federal prosecutors’ offices to open a cyber unit, which was piloted in San Francisco by Robert Mueller, who went on to become director of the FBI. Hsu switched over to it, a natural fit as most of the initial cases were IP ones, protecting copyright holders from pirates. He became chief of the unit in 2008.
Hsu’s unit has worked closely with FBI agents who, in a unique arrangement, are stationed at the Secret Service’s cyber lab and who also consider emotional hacking cases to be a high priority. “It’s a societal problem that these cases are seen as a violation of the right of privacy instead of as sexual assault cases,” said one of two fresh-faced agents with whom I spoke. They say they comb the FBI’s Internet Crime Complaint Center looking for revenge porn, sextortion and nude photo theft cases knowing they have the expertise to help get them prosecuted. They are difficult cases to investigate. For one, victims are often too embarrassed to report the theft of nude photos. For another, nude photos aren’t prioritized by HQ. The agents say they have to fight for the time they spend investigating them. “It’s hard to sell a victim’s year of anguish vs. a $5 million loss by a company,” said one agent. “For a lot of cyber squads, if there’s not a national security tie-in or huge money signs, they can’t take it.” Knowing that Hsu’s prosecutors will pursue the charges helps the FBI agents immensely.
The FBI agents’ other frustration — given how often they’re following a hacker’s digital trail — was with tech companies. “Some companies make our lives difficult. It used to be easier to get evidence from them,” said one agent. “We just sent a letter along with a subpoena that said, ‘Please don’t tell.’ Now they want an actual court order to disclose non-content information like IP addresses or a name associated with an account and many companies will inform a user as soon as they hear about a subpoena.” They said it’s harder with big companies than smaller ones, who are more likely to cooperate but have less data. The Justice Department formally echoed the agents’ complaint in the Washington Post, saying that Apple, Microsoft, Facebook and Google changing their practices to routinely notify users about law enforcement requests threatens investigations.
“Companies get their radar up about privacy, and it becomes a customer relations issue,” says Hsu.
When Hsu’s team first started bringing nude photo cases into federal courts, some judges were skeptical, especially in cases that didn’t involve celebrities for whom public image has obvious value; they saw the theft of nude photos as a state crime, especially in cases where the defendant and the victims all lived in California. “But state law enforcement was not well-equipped to deal with cyber cases, whereas we are,” says Hsu. “It made sense to me that we should be turning our attention to those types of cases or they would just fall through the cracks.”
“Many judges only pay closer attention if there’s some kind of monetary component,” says Tracy Wilkison, Wesley Hsu’s deputy. And sometimes there is, as in the case of actress Scarlett Johansson who incurred over $60,000 in expenses trying to get websites to take her hacked naked photos down. “Even if these victims haven’t lost money, their lives are destroyed. It ruins their professional relationships, their personal relationships. Some of them never recover from this.”
To turn their cases into federal ones, Hsu and his team of prosecutors sometimes use “tools not created for the Internet” — laws against trespassing, wiretapping (Mijangos put malware on victims’ computers so he could activate microphones and listen to their conversations), and stalking. Thanks to a 2013 Congressional revision of the Violence Against Women Act, cyber-stalking no longer has to occur across state lines to be considered a federal crime. But the best weapon at their disposal is a federal law for crimes that involves computers: the Computer Fraud and Abuse Act (CFAA), an anti-hacking law. Getting a prison sentence worth federal prosecutors’ time is difficult with crimes that don’t involve physical violence or drugs unless there is significant financial damage. Sentencing guidelines don’t take emotional damage into consideration (though Hsu wishes they did). “A case is higher priority if it’s a longer sentence,” says Hsu, explaining that a primary goal for prosecutors is to get defendants to take a plea deal so that a case doesn’t incur the expense of a trial. It also means victims won’t have to testify about the trauma of their nude photos being seen by strangers. “It’s easier if you have a long sentence to get someone to plea. 97% of cases plead,” says Hsu. Absent extortion, it’s hard to prove financial damage in cases involving nude photos, where the harm is reputational and mental, but the CFAA comes with harsh 5 to 20 year prison sentences baked in for “unauthorized access” to another person’s computer. Hsu’s team have used it in every case but the Erin Andrews peephole case, as nowadays the best way to get a naked photo of someone is not to be a peeping Tom at their window but to be an unwanted intruder gaining “unauthorized access” to an online account.
The anti-hacking law has been a controversial one in the last year, coming under attack for being too draconian, too vague, overly harsh in its penalties, and inappropriately used by prosecutors to imprison AT&T flaw exposer Andrew “weev” Auernheimer and to intimidate Internet activist Aaron Swartz, who committed suicide last year. Critics say that laws shouldn’t punish people more just because their crimes involve a computer. Virtual trespassing on a company’s network will land you far more years in prison than physically breaking into its headquarters. I asked the prosecutors what the sentence would be for a man that broke into a woman’s home to steal nude photos she had in a drawer. They didn’t know. “That’d be a local crime,” said one.
In fact, the L.A. bureau is responsible for one of the most controversial deployments of the CFAA. In 2006, when Hsu was deputy chief of the cyber crimes unit, it indicted Minnesota mother Lori Drew, who had assumed a false persona on MySpace to bully a 13-year-old who eventually committed suicide. The prosecutors said Drew had run afoul of the CFAA by violating MySpace’s terms of service with a fake account and thus gained “unauthorized access” to the service, committing a federal crime; the loose tie to southern California was MySpace being based in Beverly Hills. The case was a disaster. A jury did find Drew guilty of misdemeanor hacking but the judge acquitted her, criticizing prosecutors for trying to turn a TOS violation into a felony.
“It was a situation where there was a real crime but there was nothing we could do,” says Hsu. The office learned a lesson about how far it could take the CFAA. “There are plenty of clear violations of the statute. We haven’t needed to wade into controversial waters,” Hsu says. “I’m a technology geek. I’m cognizant of the argument that a not-entirely thought out prosecution could lead to the suppression of ideas and technology, and I have no desire to do that.”
Hsu does have a controversial desire though. He wants to prosecute an Internet troll.
“Part of the calculation of bringing any case is the deterrent effect we can have,” said Hsu. “I’d like to see a threat case where the threat is a result of someone’s speech on the Internet, and someone is threatening to harm the speaker to shout them down.” He was deeply moved by Amanda Hess’s article on women not being welcome on the Internet, and her arguments that women face a far greater proportion of online threats of violence and rape for expressing opinions. He is on the look-out for a case where a journalist or female writer sees a “true threat” — made seriously and not in jest — in the comments section. He thinks a successful prosecution of the harasser could make the Internet a more civilized place. “It couldn’t hurt.”