On January 31, the Swedish computer security expert and free software developer, Ola Bini, was found not guilty by a unanimous verdict from a three-judge tribunal in Ecuador. This marked the culmination of an unfounded criminal prosecution that has persisted for over four years. The Prosecutor’s Office appealed the acquittal, however, dragging out this problematic criminal case and suspending the court’s decision to lift the precautionary measures pending against Bini. As a result, Bini cannot leave Ecuador or use his bank accounts.
As we previously wrote, the January ruling set a crucial precedent. It was the first time an Ecuadorian court analyzed the issue of unauthorized access to a computer system, an act classified as an offense under Article 234 of Ecuador’s criminal code. Most importantly, the court resisted setting an expansive interpretation of what constitutes unauthorized access of computer systems, a move that could have seriously endangered the beneficial work of security researchers and the vital role they play for our privacy and security across information systems.
The acquittal sentence makes three important facts clear. First, the evidence the prosecution presented was essentially unrelated to the charge of unauthorized access and did not prove the alleged criminal facts. Second, the only piece of evidence that was possibly related, the image of a telnet session showing a connection to a National Telecommunications Corporation (CNT) router, was not proof of criminal activity. And third, the prosecution didn’t present any evidence to prove the required threshold of malicious intent—necessary for the crime of unauthorized access. In short, the court refused to convict Bini based on stereotyped views of security experts intended to stoke fear that he was a danger to the public and state security.
The alleged evidence presented to the court was mainly unrelated to the criminal offense levied against Bini. His visits to Julian Assange at the Ecuadorian embassy in London, his internet service contract, the amount of computer equipment he owned, and translations of private conversations held with various contacts through different messaging applications, were related to a strategy of fear mongering around a “hacker panic,” not evidence of a crime.
The court also did not endorse the prosecution’s attempt to associate the use of Tor, a crucial tool to protect one’s privacy, with inherent criminality. The plaintiffs raised this argument because the image of the telnet session shows that the alleged connection to a CNT router was made using Tor. Tor is a privacy protection tool, but the prosecution and the CNT tried to frame its use as an indication of criminal activity. The fact that the court didn’t endorse this argument is key for those who want to protect their privacy, safety, and security online, as well as for security researchers to develop their work.
The single piece of “evidence” that the court evaluated was an image of a telnet session. It was leaked to the media even before being included in the case file and, as we previously flagged, it ultimately failed to establish proof of unauthorized access or criminal activity. Based on Article 234 of Ecuador’s criminal code, the court assessed whether (a) Bini had "accessed" or "remained" in a system, and (b) whether there was a malicious intent involved, like illegitimately exploiting such access or diverting its traffic. On (a), the court determined that a telnet connection to a CNT router, which asked for a username and password but received no input before the connection time out, is not “access.” Yet, the court didn’t address the issue of the veracity of the image itself. On (b), the court stressed that both the Prosecutor's Office and the CNT failed to present any evidence to corroborate the element of malicious intent, necessary to classify the act as a criminal offense of "unauthorized access." This combination of elements in Article 234 reaffirms how important it is to include malicious intent in the definition of criminal liability when drafting cybercrime laws. As we have repeatedly stressed, the requirement for malicious intent helps prevent the arbitrary enforcement of cybercrime provisions against the beneficial activity of security experts and researchers.
The court also endorsed experts' testimonies that the image cannot even prove that the commands illustrated therein were actually executed. The sentence points out that CNT's expert witness never had access to the devices and systems involved in the alleged intrusion, and the report he produced on behalf of the prosecution was limited to the analysis of a previous report by a CNT's employee. The person who led the area of networks and connectivity of Ecuador's Presidency also stated that the Prosecutor's Office did not request information about any of the equipment, nor the IPs of the equipment, nor the accesses made to the equipment in order to verify a possible unauthorized access.
In June, the Observation Mission of Ola Bini's case, which EFF joins with many other digital and human rights organizations, held a session at RightsCon to analyze Ola Bini's unanimous acquittal sentence, and released a statement emphasizing the points above. These constitute key precedents for other cybersecurity experts and digital rights defenders under persecution. The statement highlights how important it was for the court to refuse to endorse a case based on purported evidence that is unrelated to the charge, avoid broad interpretations of criminal law to persecute security experts based on stereotypes about technology and the infosec community, and refuse to endorse allegations that the use of Tor indicates any suspicion of criminal activity. Although the court missed the opportunity to reinforce the relevance of privacy-enhancing technologies, such as Tor, for ensuring freedom of expression, privacy, and other human rights online, the acquittal sentence is a relevant precedent to enforce.
Now that Ecuador's Prosecutor's Office has appealed Ola Bini's acquittal, despite a lack of evidence against the security expert, Ecuadorian judicial authorities must uphold the sentence’s crucial points and ratify Bini's innocence. It is telling that CNT, responsible for the system allegedly accessed without authorization, did not appeal, which corroborates the weakness of the case. We will continue to monitor case developments to ensure that due process prevails.