Published by The Lawfare Institute
in Cooperation With
The years since the 2016 election have been a national trauma that the U.S. shouldn’t be eager to revisit. Yet almost no policy changes have been made as a result of what the country has learned from the Mueller investigation and related events. In this post, I’d like to start assembling a menu of possible reforms that address the lessons learned from what Lawfare sometimes calls L’Affaire Russe.
This is a fraught exercise because the narratives about L’Affaire Russe have diverged so far between Trump supporters and Trump detractors that almost any proposal for change will implicitly contradict the narrative of one camp or the other. So, to save time, here are my most salient biases in the matter: I’m generally comfortable with most of President Trump’s policy instincts; I’ve spent a lifetime working with intelligence and law enforcement professionals who do battle every day with very real enemies of the United States, Russia among them; and I believe in them and in making government work, which makes me uncomfortable with President Trump’s character and lack of policy-making fine-motor skills. With that mixed perspective, I am hopeful there may be room for at least some agreement on things we ought to do differently in future. Let’s start with the event that kicked off the whole affair—Russian President Vladimir Putin’s brazen interference in the 2016 presidential election.
The most disturbing Russian acts in 2016 were the hacking and release of private messages from the Democratic National Committee and the Democratic Congressional Campaign Committee. It is disturbing because these acts clearly had an effect, and there’s every reason to think they will be repeated. Indeed, the tactic of hacking and doxxing Americans has already been embraced by other governments. The North Koreans did it to Sony. Persian Gulf nations are now routinely hacking and doxxing each other’s representatives in Washington, D.C.
As a nation, the United States should not tolerate such interference. The country has taken some actions against the Russians, but it’s hard to believe they will be deterred from further attacks by the threat of more indictments and more sanctions and more Cyber Command denial-of-service attacks on election day. As long as the release of stolen documents has an impact here, Putin will see it as a cheap and gratifying projection of Russian power. So the U.S. ought to take steps to reduce its impact by restricting the dissemination of stolen data.
Of course, stopping the dissemination of such information raises real First Amendment questions, but the Supreme Court’s pronouncements on this topic have been surprisingly qualified and leave plenty of room for legislation that would drain much of the fun out of Russian cyber-kompromat. In the leading case, Bartnicki v. Vopper, the court refused to enforce a statutory prohibition on disseminating the contents of illegally wiretapped conversations. The conversation in question was a cell phone call in which a member of a teachers’ union said to the union’s negotiator that if the school district didn’t improve its offer to end a strike, “we’re gonna have to go to their, their homes … to blow off their front porches, we’ll have to do some work on some of those guys.” The Supreme Court’s opinion considered two principal justifications for a ban on dissemination of tapped conversations—deterring wiretapping and preserving privacy. The court dismissed the first because it thought deterrence could be achieved by prosecuting those who conducted the illegal tap. It was troubled by the second, recognizing that failing to punish the disclosure of private conversations was itself likely to restrain private speech. Nonetheless, in an expressly narrow decision, the court concluded that the conversation being disclosed was a matter of public concern, so that prohibiting dissemination would trench too far on freedom of speech. Two justices who were necessary to the majority wrote separately, narrowing the decision further by declaring that only a communication threatening physical harm or the like was of sufficient public concern to justify overriding the dissemination ban.
To my mind, this decision leaves plenty of room for imposing restraints on the distribution of private emails stolen by a foreign government. The government’s interest in protecting private speech remains strong in the case of foreign government hacking, and it is bolstered by a deep national security concern that was quite lacking in Bartnicki. What’s more, the Bartnicki court’s notion that such thefts can be deterred by criminal prosecution is demonstrably wrong where government hackers are concerned. We’ve indicted Russian, Chinese and Iranian government hackers; it hasn’t deterred any of them for long. Even taken at face value, the decision protects only dissemination that addresses a matter of public concern. That by itself would seem to allow Congress to restrict massive dumps of private communications that do not touch on significant public issues, let alone make threats of violence.
Would such a law be fully effective? Maybe. The Russians could try posting the trove on some foreign server, but the owners of that server would be risking liability under U.S. law, and they would surely be more easily deterred than government agents. What’s more, if search engines and social media links to the stolen data are prohibited, then the value to Putin of the release will be far less. It’s impossible to know for sure without trying.
The fact is that we could go a very long way toward taking this weapon out of Putin’s hands without falling foul of the First Amendment. And if anything calls for aggressive solutions, it’s the prospect that Russia, China, Iran and North Korea will all decide in 2020 to shape the U.S. election by spreading their least favorite candidates’ confidential communications all over the internet. With that in mind, here’s my proposal (those who find it too radical are free to suggest something else that’s equally likely to reduce foreign government hacking in future elections): Congress should simply prohibit wholesale distribution of or links to data stolen from the computers of a U.S. political party, candidate or official. An exception could be made to allow news media to quote from such data in a news story relating to a matter of overriding public concern, but before doing so, the media would have to give copies of any material they receive from the hacker both to law enforcement and to the original owner, far enough in advance of publication to allow the owner to determine whether the material has been forged to make it juicier (an increasingly common tactic for state hackers). Violations could result in penalties of $10,000 per download. That’s a bargain next to the $175,000 per download you’d pay for illegally disseminating an album online. Our democracy deserves at least as much protection as popular music.
I like to think this idea has at least some hope of bipartisan support. It’s obvious why Democrats might get on board. But there is no reason to think the GOP won’t be the next victim. After all, 2008 Republican vice presidential nominee Sarah Palin was the first candidate to be hacked and doxxed in the middle of a campaign. If I were advising the Republicans, I’d urge them to embrace such a measure now and claim credit for generosity—because the day after they are victimized, support for the bill is likely to dry up on the other side of the aisle.