Skip to content

Crimes of the Future

The government’s efforts to regulate hactivists out of existence

One early morning last May, the FBI showed up at Timothy Burke’s door in Tampa with a search warrant and left several hours later with several of Burke’s phones, servers, hard drives, and computers. Burke, a video journalist and media consultant, had a predilection for teasing stories out of videos, so seizing what amounted to his “control room” was a wing clip from the Feds. Burke is accused of accessing and downloading video content from a computer system he wasn’t authorized to use, in this case the media servers at Fox News. This sort of “cyber trespassing” has been under increasing scrutiny over the last few years as more activity moves online and people are subject to laws and regulations that are still being debated and developed. Journalists like Burke are especially vulnerable to abuses in that gray area as his investigative work is done almost completely on the internet. 

For example, in 2018, while he was at Deadspin, Burke spliced together a tiled mosaic of identical, scripted closing remarks from local news stations that raised the specter of “fake stories” turning Americans against one another. It was a deft bit of dog whistling about “personal bias” and “agendas” meant to signal that the mainstream liberal media was pushing false narratives about Trump and other conservative politicians. The local broadcast stations were owned by Sinclair Broadcast Group, a conservative media conglomerate that owns nearly two hundred local affiliates. The footage amounted to the kind of visual satire that consolidated media has plucked straight out of a Verhoeven movie like RoboCop or Starship Troopers.

In October 2022, Burke’s muckraking made national headlines again. This time, he had dug up unedited footage of a recorded interview between Tucker Carlson and Kanye West that originally aired on Carlson’s nightly news show. The conversation that went to air was touted by Fox News as a seminal, two-part cultural moment where West was going to slay some liberal pieties and probably say some outlandish shit. He did both, of course, but the raw tape contained some stranger, more offensive riffs from West, including antisemitic and racist comments and a story about how “fake children” were being planted in the rapper’s house in order to “sexualize” his own kids. West also admits to being vaccinated against Covid-19, which at that point was a chemical smirch at Fox News. Those moments were all set to be memory holed before Burke shared the unedited footage to Motherboard and a few other outlets, causing many organizations and brands to cease their partnerships with West and condemn Carlson for failing to challenge any of the bizarre, racist rants. 

Journalists like Timothy Burke are especially vulnerable to abuses in that gray area as his investigative work is done almost completely on the internet. 

Digging up these clips took some doing on Burke’s part. According to his lawyers, the journalist was tipped off about third-party platforms that many news broadcasters used to stream low-quality, unprotected 24/7 feeds of their content. He then used a “demo” username and password that he had found on a publicly accessible site to sign into one of these platforms, where he was greeted with a list of URLs that led to those broadcast feeds. One of them included the Fox News livestream, which did not require Burke to enter any credentials. He clicked through, downloaded some footage, and sent those clips off to several media outlets.

The Feds took notice and started investigating the source of the Kanye clip and several other leaks coming from Fox News. (Burke had also pulled and shared embarrassing clips of Carlson talking shit about his viewers and criticizing his corporate overlords. “I can never assess my appearance. I wait for my postmenopausal fans to weigh in on that,” he says in one video leaked to Media Matters for America.) The trail led them to Burke’s front door; after seizing his gear, the FBI and DOJ took nearly a year to build their case, and finally threw the book at Burke in February. He’s facing fourteen federal counts that include conspiracy and wiretapping with a maximum sentence of sixty-two years in prison. The Justice Department may have stacked the charges to pressure Burke into a plea deal, but the financial burden of defending oneself against the full might of the federal government is enough to ruin most people even without going to trial.

Twelve of the counts Burke is facing cite violations of the Computer Fraud and Abuse Act (CFAA), an expansive, distressingly versatile 1986 law that’s been at the center of several high-profile cases including one brought against former hacktivist and Baffler contributing editor Aaron Swartz. Swartz famously downloaded four million academic articles from JSTOR in an attempt to democratize information that was otherwise behind a prohibitively expensive paywall. The Department of Justice hit Swartz with thirteen federal counts that carried a potential penalty of fifty years and a seven-figure fine. Swartz refused a plea deal, effectively daring the feds to prove their case in court. He died by suicide before he went to trial.

For decades, the CFAA was criticized as an overly broad and inexact set of rules that had the vital responsibility of setting legal boundaries on the internet. Much of the criticism was leveled at the term “authorized access,” a two-word semantic mess. Burke is being accused of, among other things, “accessing a protected computer without authorization,” a series of words that might as well be a sleeper cell activation phrase for digital privacy scholars. For almost as long as the law has been around no one could agree on what “authorized access” really was, and confusion in how statutes are applied can lead to some pretty bad places. The legal scholar and internet security expert Orin Kerr wrote about that uncertainty in a widely cited 2003 NYU Law Review article: “The result is an odd situation in which nearly every Anglo-American jurisdiction has an unauthorized access statute that carries serious felony penalties, but no one seems to know what these new laws cover.”

There was wide concern that a company like Netflix could criminally charge users for sharing their passwords since doing so would violate the site’s terms of service and void their “authorized access” in the process. Journalists and researchers were also worried, as data scraping is often prohibited by terms of service too; researchers and journalists who investigate phenomena like the extremist views of law enforcement officers or algorithmic discrimination would potentially open themselves up to criminal charges. University of Georgia law professor Thomas Kadri argued this interpretation allowed “some courts [to] treat all websites as ‘blackacres’—enclaves of private property that platforms may govern much like people may exert dominion over their private land in the real world.”

After decades of uneven application, a 2021 Supreme Court case called Van Buren v. United States finally offered some clarity. Nathan Van Buren, a police officer in Georgia, got caught in a sting operation taking money to run a license plate and determine whether a woman who claimed to be a stripper was an undercover cop. Van Buren was convicted and sentenced to eighteen months in prison before appealing the decision and claiming that, since he was allowed to use the computer system at the police station, he was not “exceeding [his] authorized access” and should not have been liable under the CFAA. His case—the CFAA aspect at least —eventually made it to the Supreme Court, where he found a sympathetic audience. They ruled 6-3 in his favor and in the process created a new legal framework for how criminal behavior on the internet would be determined. It was also the first time the highest court had heard a CFAA case argued before it. As Justice Amy Coney Barrett wrote in the court’s affirming opinion after a 6-3 vote:

The Government’s interpretation of the “exceeds authorized access” clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA.

Barrett goes on to codify a “gates up-or-down” legal framework, which moved the CFAA away from the rubbery world of “authorized access.” Kerr called the decision a “big step toward the needed reform,” pointing out that it narrows the focus of the law to its “core role as an anti-hacking statute designed to protect privacy, and keeps it from being a super-broad law that criminalizes all breaking of promises online.” (For any legal completists out there, two other cases that had big impacts on the SCOTUS ruling are Sandvig v. Barr [2020] and hiQ Labs, Inc. v. LinkedIn Corp. [2019].)

Here’s one way to think about what the decision actually means: if you can picture websites as pieces of property, Barrett’s “gates” are different kinds of barriers the property’s owners might put up, such as needing to enter a username and password (though there is now a debate over what sort of digital bulwarks actually constitute a proverbial gate, e.g. CAPTCHAs). If a user has passed through that gate legally, then they’re not subject to being prosecuted under the CFAA even if they’re doing something like violating a website’s terms of service. Van Buren was abusing his power as a police officer to feed private information to people for money—he was also facing an honest services wire fraud conviction for taking a bribe—but SCOTUS deemed he wasn’t liable under the CFAA because he was an authorized user of the computer system. The SCOTUS decision would have presumably negated the state’s case against Swartz and several others who faced criminal prosecution for fooling around behind a website’s gates that they were “authorized” to access. Burke, though, might not find the same safe harbor.


There is a belief in some naive corners of journalism that the government doesn’t target journalists who break news based on ill-gotten information. Maybe they read a copy of All the President’s Men in high school and it crystallized their perspective of the profession. But punishing the press for publishing embarrassing stories has been a point of bipartisan pride for decades, and that habit has only been supercharged in the era of the PATRIOT Act and mass digital surveillance. In just the last twenty years, both Democratic and Republican administrations have used new tools to snoop on journalists on the receiving end of sensitive administration. The Bush White House—under the guidance of then-FBI director and now-neoliberal folk hero Robert Mueller—subpoenaed the phone records of New York Times reporters who had broken the story of the NSA’s warrantless wiretapping. Trump’s DOJ team acted similarly when they secretly obtained the phone and email records of several journalists they suspected were on the other side of White House leaks. The Obama administration went a few steps further, separately threatening to prosecute a Times journalist who wouldn’t reveal a confidential source and labeling a Fox News reporter as a “co-conspirator” for publishing classified information under the Espionage Act. It got so bad that in 2021, Biden’s attorney general Merrick Garland, eager to distance his boss from the vulgarity of the Trump years, issued a statement that the Department of Justice would refrain from pursuing journalists except in “limited circumstances.” The DOJ will of course dictate that those limited circumstances are.

There is a glimmer of potential change. The Protect Reporters from Exploitative State Spying (PRESS) Act, which bars the government from compelling journalists or service providers to disclose protected information, was recently passed with bipartisan support in the House of Representatives. But press shield laws don’t extend to those who have committed a crime during newsgathering, and as reporting becomes increasingly digitized the boundaries between legal and illegal activity get muddy. The internet is effectively built on illegal activity that is selectively and arbitrarily enforced because charging every person who downloaded a torrent of Joker or Fight Club would be impossible. Even things like bypassing a password-protected paywall—on this very site even!—could be considered “exceeding authorized access.” It’s in these ill-defined borderlands that journalists face the most risk as they unearth government malfeasance or incompetence and gain notoriety in the process.

Punishing the press for publishing embarrassing stories has been a point of bipartisan pride for decades, and that habit has only been supercharged in the era of the PATRIOT Act and mass digital surveillance.

The perils aren’t hypothetical either. In August of last year, a local paper in Kansas called the Marion County Record had their offices raided while they were reporting on an embarrassing story involving the town’s chief of police. The police were granted a warrant after accusing the paper’s journalists of accessing a privileged website. The paper’s staffers were forced to stand outside their office in the sweltering Kansas heat while Marion police department hauled away laptops, hard drives, and cell phones. It took an order from the county’s top prosecutor for the cops to return the seized gear; the police chief resigned and the Marion County Record filed a 127-page First Amendment lawsuit against town officials this April. The paper has not been charged with a crime, but it doesn’t take an indictment to intimidate. The police and judge that signed off on the warrant signaled that the press were vulnerable, an especially dangerous precedent in the current climate. The message was clear: think twice before you go to press.

Intimidation has been one of the criticisms lobbed at the prosecutors handling Burke’s case. Burke’s lawyer, Mark Rasch, a former DOJ staffer himself, claims that his client didn’t violate the “gates up-or-down” interpretation of the CFAA because the URLs he accessed weren’t behind any sort of barrier. The livestreams that Burke accessed and downloaded could have been accessed by anyone given enough time to type in random web addresses one after another before landing on the unencrypted 24/7 feed of a major news network where a famous rapper was spewing antisemitic animus. The gate wasn’t open, but there was a hole in the fence.


Analogies for the internet abound—it’s a walled garden or a massive digital library—but there’s an implicit difficulty in applying legal frameworks to digital spaces since the internet isn’t a physical place. Modern jurisprudence is based on centuries of political and cultural evolution stacked on top of each other. The laws regulating a horse-and-carriage in the nineteenth century are at least roughly similar to the laws regulating a Tesla in the twenty-first. Even if you change the venue—like, say, when airplanes came into the mix—the legal development path is relatively straightforward. They all fit into the same mental model. The techno-libertarian party line is that, because the internet isn’t a real place, that there shouldn’t be laws governing your behavior in the same way. That is, much like regular libertarianism, a political philosophy for angsty teens. But the internet does require a different legal framework when it comes to privacy and speech as we seem to struggle to conceive of digital spaces in cogent terms.

Consider the Ars Technica op-ed that the venerable press freedom advocates Caitlin Vogus and Jennifer Stisa Granick wrote in response to the government’s indictment of Burke. Here’s how they suggested thinking about Burke’s actions:

Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper’s telephone number was unlisted, should the reporter go to jail for publishing what she heard?

It’s clunky, but the metaphor underlines just how difficult it is to design laws that treat the internet as a distinct environment. It’s like trying to regulate an abstraction.

So did Burke do something illegal? That may not even be the principal question since the contours of the laws at hand are still being shaped and sharpened. Burke is a potential casualty of a still-developing legal precedent, one that’s elbowing into public consciousness as artificial intelligence companies scrape the entirety of the internet to generate machine-brained ersatz art for reasons that elude everyone but VC investors. But throwing fourteen Federal indictments at a journalist like Burke does provide a clear signal that certain news gathering techniques are not going to be tolerated by an ostensibly progressive administration. It’s an open question why this sort of alleged digital theft comes with stacked consequences when, say, Burke entering Fox News headquarters and recording the conversation between Carlson and West on his phone would have likely been met with a different set of charges.

The road to precedent is unfortunately paved with cases like Burke’s. As technology continues to outpace the government’s ability to regulate it, the brunt will continue to fall on vulnerable individuals rather than, say, tech executives. But the laws Burke is accused of breaking have an additional purpose: to intimidate journalists who embarrass powerful people no matter how they find the evidence. The bulk of Burke’s alleged crimes hinge on a single flimsy word: authorization. But authority in this case can only be granted by those who seek to obscure what they’re doing. As Rasch’s lawyer points out, if Burke had discovered that a corporation was participating in a massive criminal enterprise but had to ask for the company’s permission to publish a story or risk violating the CFAA, where does that leave investigative journalism? 

When Aaron Swartz died, technology leaders and digital privacy advocates rallied in an effort to enshrine his legacy in law. First introduced in 2013 and then again in 2015, Aaron’s Law would have shrunk the penalties for violating the CFAA down to size and put them at parity with how crimes like copyright infringement are treated in the physical world. It would have also, crucially, gone a long way towards preventing the sort of count stacking seen in Burke’s indictment. But the law was never passed. Instead, broad interpretations of flawed laws like the CFAA are still being used to silence and intimidate people whose work might upset powerful people. As Tim Carmody wrote in The Verge after Swartz’s death:

The government didn’t need to prosecute a big fish if it could make Aaron look like one. The police don’t need to stop drug kingpins if they can make anyone in a car with drugs look like one. Turning disobedience into felonies becomes the easiest thing in the world. The prosecutors wanted headlines, conviction statistics, promotions, and to make the public feel that computer crime was important and dangerous but something was being done about it.

Then as now we’re at the mercy of a legal system that fails to understand anything but power, no matter how it’s accessed.