Article Lead Image

Barrett Brown leaves prison still chained to a crime he didn’t commit

Brown was released from a San Antonio-area federal prison on Tuesday.

 

Dell Cameron

Tech

Posted on Nov 29, 2016   Updated on May 25, 2021, 12:02 pm CDT

Dallas-based journalist Barrett Brown walked free from prison on Tuesday morning after spending more than four years behind bars.

The 35-year-old cause célèbre, convicted in January 2015 after spending more than two years in pretrial confinement, faces a laundry list of post-release restrictions and obligations, including drug treatment, mental health evaluations, and computer monitoring. After departing the Three Rivers federal correctional institution in San Antonio, where Brown continued his work as a writer over the past year, publishing award-winning essays at D Magazine and the Intercept, he will report to a halfway house in Hutchins, Texas, before 4pm CT.

Brown has been ordered to continue paying at least $200 every month to Stratfor, the Austin-based intelligence firm, over the devastating cyberattack that nearly crippled the company five years ago. While Brown had no foreknowledge of the security breach—which, despite popular belief, occurred more than a month prior to the involvement of Anonymous hacker Jeremy Hammond and his AntiSec crew—Brown is nevertheless stuck paying $890,250 in restitution for a computer crime he had neither the skillset nor the inclination to carry out himself.

An offbeat agitator, Brown is what David Carr, the late New York Times journalist, described as “a pretty complicated victim.” His case, at its core, was often a battle over the identity of the man himself: Whereas the United States government went to great lengths in court to portray Brown and Anonymous as two sides of the same coin, his supporters (Noam Chomsky, Cory Doctorow, and the late Michael Ratner among them) saw him rather as a cocky, freewheeling journalist with anarchic views about transparency. 

Brown’s case was often depicted in the press as having potentially far-reaching consequences for journalists and researchers.

Brown’s eagerness to uncover the U.S. government’s dealings with private security and intelligence contractors led to frequent exchanges with criminal hackers (while, incidentally, under FBI surveillance) and placed him perilously close to the national security investigation into WikiLeaks, which is ongoing to this day.

Brown was convicted in a Dallas federal courtroom in January 2015, after accepting a plea bargain that significantly reduced his potential prison sentence. The charges to which he pleaded guilty stemmed from an after-the-fact involvement in the Stratfor hack, and a YouTube video in which he appeared to threaten an FBI agent. While charges related to the theft of Stratfor’s credit card data had been tossed out nearly a year before his sentencing began, the financial impact the company endured at the hands of Anonymous continued to play a major role in Brown’s prosecution.

Armed with a litany of terrible metaphors, U.S. attorney Candina Heath proceeded to paint Brown as “someone who knowingly stole and distributed credit card information,” to quote D Magazine reporting from the courtroom. “It doesn’t matter the number of hands it passes as long as they know it’s stolen property,” she said, referring to the Stratfor documents obtained by AntiSec, which had been widely circulated online by the time Brown acquired them.

The U.S. government’s position, Heath said, was that Brown, by copying and pasting a hyperlink in a chatroom, had done the “same thing” as the hackers who had actually infiltrated the company and stolen thousands of credit cards, which they used—and Brown did not—to allegedly rack up more than $700,000 in fraudulent charges. “Regardless of whether or not it had been made public by somebody else,” Heath told the court, “Mr. Brown took material, data, credit card information that he understood to be stolen and purposefully trafficked in it to another location for other people to use.”

The prosecution admitted it had no evidence that anyone who clicked on the link shared by Brown had stolen any money. The “other people” to whom Heath referred were an army of amateur researchers with whom Brown had begun to collaborate with in chat rooms by late 2011, dissecting the various batches of stolen emails Anonymous routinely dumped in bulk online. By that time, Brown had repeatedly sought to disassociate himself from Anonymous. He had publicly disavowed the hacking collective on several occasions up to three years before his conviction and had founded his own organization, Project PM, to suit likeminded digital activists.

To many journalists, both in the U.S. and abroad, the government’s insistence that Brown had committed a crime by simply sharing an already broadly disseminated URL was staggering. The case was often depicted in the press as having potentially far-reaching consequences for journalists and researchers who regularly receive and pore over hacked material. Even more troubling was the government’s attempt in 2013 to silence Brown while he was behind bars, at one point seeking a court order to prevent him from publishing articles while in custody.

Chat logs published by the Dot in the weeks leading up to the final hearing, which were sealed by a court order in the Southern District of New York, showed that Brown and the Stratfor hackers were not exactly the compadres the prosecution made them out to be. AntiSec, it turned out, viewed Brown primarily as a disruptive outsider throughout its monthlong attack. “You have nothing to do with this operation,” Hammond, who is serving the remainder of a 10-year sentence for his involvement in the Stratfor hack, once told Brown during a heated online encounter. Brown signed off telling Hammond, “Fuck yourself.”

In a secured chatroom, absent Brown, which the FBI had been monitoring for more than a month, Hammond and his crew discussed ways in which they could attack Brown’s credibility and tarnish his reputation. The hackers entertained plans to cripple his communications network, and, at one point, even proposed dumping a batch of stolen credit cards online under his name. 

When the government introduced more than 500 pages of chat logs at Brown’s initial sentencing hearing, however, it excluded documents from the Stratfor hack that challenged the prosecution’s version of events, remaining firm in its conviction that Brown had played a major part in the attack. Delivering yet another bad metaphor, Heath likened Brown’s involvement to “somebody stealing your car” after it had already been stolen. By sharing a link to Stratfor’s stolen data, Brown had stolen it further, Heath argued, to the dismay of reporters seated in the courtroom.

A rarely reported fact: Stratfor’s credit card databases had been picked clean by a hacker unaffiliated with Anonymous months prior to the group’s involvement in early December 2011. Likewise, Stratfor had been thoroughly infiltrated well before Brown was even aware of the breach. Furthermore, a confidential forensic report concerning Stratfor’s systems—leaked to the Daily Dot and published more than two years ago—reveals a catastrophic-level of negligence on the part of the company itself.

A Verizon security team, contracted to audit Stratfor’s servers in January 2012, found that only three out of 12 mandated fraud prevention requirements had been met. Eight of the nine security requirements not met by Stratfor directly contributed to the breach, the researchers found. The firm’s corporate environment and e-commerce environment were not properly segregated as they should have been; there was no anti-virus solution deployed on any of the systems reviewed by investigators; and the company’s stored customer data was not protected with industry-standard encryption.

“In light of a confirmed system breach,” Verizon reported, “it should be noted that several distinct vulnerabilities and network configurations existed that allowed this breach and subsequent data compromise to occur.” Stratfor, asleep at the wheel, offered the hackers something even more enticing: a high-level administrator account that had, inexplicably, never been secured with a password. In June 2012, only six months after the hack, Stratfor quietly settled a class-action lawsuit with its customers to the tune of $1.75 million.

Brown, whose first stop after prison was for an Egg McMuffin, could not be immediately reached for comment. 

Correction: A previous version of this article incorrectly identified the prison from which Brown was released on Tuesday. Brown was released from the Three Rivers FCI in San Antonio, Texas. We regret the error. 

Share this article
*First Published: Nov 29, 2016, 12:03 pm CST