> my answer to about half the questions is caselaw.
True. This is how a Common Law system works, and why rants about 'activist judges' who 'legislate from the bench' are so idiotic in (most parts of) the USA: That's a pretty fair description of how Common Law works.
The legislature writes laws knowing that they can't possibly think of every possible fact pattern, every possible scenario the law might be applied to, and the legislators expect judges to apply their judgement to apply the law, clarifying it in the process. They are active because the law was written to be applied by humans, and they legislate to the extent they effectively add interpretations and nuance to the statute law.
(The only part of the USA not under Common Law is Louisiana, which inherited its Civil Law system from France, which inherited it from Rome. AFAIK, the entire United Kingdom is under Common Law; the UK is, after all, where the majority of the USA got the Common Law from.)
> The legislature writes laws knowing that they can't possibly think of every possible fact pattern
That is know, but the arguing here is that the current legislation is way too vague. Is like a law saying: "Is illegal to be evil"; is haves a very subjective definition to have real-world implications and can be abused easily.
Why does this imply that rants about activist judges are idiotic? Yes, judges frequently have to determine what the law means. No, that doesn't mean they have completely free rein.
Lawyer here, and I have a fairly good working understanding of our common law system. Nevertheless, I think there is some truth to the rants about activist judges legislating from the bench.
This would be a more effective rant if it had a suggested fix and maybe a copy of the letter this guy who is clearly an expert in the field sent to all of the members of Congress on the Science and Technology committee that would have to consider changes to CFAA. Or maybe just to Ben Quayle (R AZ) who chairs the subcommittee on Technology and Innovation.
Chances are, if they want to get someone like that, they are going to find a way. There probably isn't much need to specifically engineer a law to enable that sort of behaviour.
It's hard for an analytical mind to understand that law is mostly a socio-political game with some vague rules. It's not a verifiable axiomatic system (although, I think it should be quite close).
I'm coming to grips with the idea that law is mostly empirical and can only be falsified. Which means that, by design, you can't know if you are following the law or not.
By and large, US law is considered to be stable and has been duplicated precisely for this reason. That's not to say that there aren't areas that couldn't be improved or made simpler. Rather, it's to say that we have a society where laws aren't arbitrarily changed on the whims of whatever party happens to be in charge of Congress.
You can almost think of the law just like you would a complex codebase. Unfortunately, we live in an age where the law has become so complex the average person can't keep it straight. I seriously doubt that this would change no matter how the law were refactored. The good news is that we do have a society where a concerned citizen can learn a lot about the law on their own. Thus, I would argue that the law is complex, but easy to approach if you want to become an expert on a particular module or subsystem.
> That's silly, you say, because that’s not what the law means. Well, how do you know what the law means? The law is so vague that it’s impossible to tell.
No, it's not that this isn't what the law means. It's that this isn't what the law says. There are vague laws, and there are ambiguous laws, but you are way overstating your case here. Either that, or you have never read § 1030.
Care to explain what the law really means then? Because I just read what the law _says_, but to me it still sounds pretty vague, and its unclear exactly what constitutes "authorization".
"Whoever... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer. A protected computer is any computer which is used in or affecting interstate or foreign commerce or communication."
His blog seems to be used in foreign communication, it can be accessed from foreign countries. Does that make it a "protected computer"? I accessed his computer and received information. And I was never "authorized" to do so, except through the implied openness of the web, which the law doesn't seem to mention at all.
Orin Kerr has an excellent paper on the state of the law in this area that I'm too lazy too Google right now. But while the courts have occasionally ruled that "access" is "any access," other courts have realized how stupid this is and have moved away from that strict meaning.
The defendant is charged in [Count _______ of] the indictment with
computer fraud in violation of Section 1030(a)(4) of Title 18 of the
United States Code. In order for the defendant to be found guilty of
that charge, *the government must prove each of the following elements*
beyond a reasonable doubt:
First, the defendant knowingly [accessed without authorization]
[exceeded authorized access to] a computer [that was exclusively for
the use of a financial institution or the United States government]
[that was not exclusively for the use of a financial institution or
the United States government, but the defendant’s access affected the
computer’s use by or for the financial institution or the United
States government] [used in or affecting interstate or foreign
commerce or communication] [located outside the United States but
using it in a manner that affected interstate or foreign commerce or
communication of the United States];
Second, the defendant did so with the intent to defraud;
Third, by [accessing the computer without authorization] [exceeding
authorized access to the computer], the defendant furthered the
intended fraud; [and]
Fourth, the defendant by [accessing the computer without
authorization] [exceeding authorized access to the computer] obtained
anything of value[.] [; and]
[Fifth, the total value of the defendant’s computer use exceeded
$5,000 during [specify applicable period.]
The last clause applies when the object of the fraud is access to the computer itself; for instance, if your fraud was "gain free wireless access".
In this case, the defendant is charged with 1030(a)(4), which is fraud, and the government therefore has to prove fraud.
The defendant could also have been charged - in some other case - with 1030(a)(2), which is obtaining information from any protected computer without access. In that case, the government would not have to prove fraud.
A blog is not a protected computer, which is a term with a definition in the law --- it's one that used by financial institutions, by the US government, or that affects interstate commerce. Again: not a blog.
Furthermore, regardless of whether the prosecution charges a crime that requires intent to commit fraud --- for instance, in the unlikely event that they tried to spin a yarn about a blog affecting interstate commerce --- CFAA crimes aren't strict liability. They must prove intent to exceed authorization.
i think you do not even require adwords, because you can construe that interstate commerce happened if the traffic of the website is routed from your web server from one state, to another, and that you paid for the traffic from your web server!
> A blog is not a protected computer, which is a term with a definition in the law --- it's one that used by financial institutions, by the US government, or that affects interstate commerce. Again: not a blog.
That is flatly and totally wrong. Any computer connected to the internet is a "protected computer" for the purposes of this statute: full stop, end of story. Additionally, some computers not connected to the internet are protected computers.
It's possible that a blog on an intranet machine that is absolutely not accessible to the outside world could be argued not to be a "protected computer". Any blog routable from the outside world absolutely is.
Every blog in the world accessible from the internet is in fact being run on a "protected computer". Accessing any of these machines without authorization or exceeding authorization can in fact be charged as a federal misdemeanor.
This is not arguable. It's exactly what the statute says, it's exactly what the DOJ says, it's exactly what every court to consider the issue has said.
For example, here's a direct quote from one case: "the latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website".
Note the word ALWAYS. All that remains to be proven is that you weren't drunk or otherwise not in control of your faculties, and that you did it without authorization or exceeding authorization.
People take issue with me calling you a knucklehead. But you are making statements that anyone with a cursory knowledge of the law would know to be false, and you are making them repeatedly and refusing to educate yourself about it or to investigate in any way or to consider the possibility that you might be wrong.
It's not that far off. Prosecutors have used the CFAA to try to prosecute people for violating the ToS act of MySpace (thrown out by judge post-conviction) and to lodge charges against a scalper which used automated ways to get past a CATPCHA in order to buy tickets. And now Weev gets convicted for finding an undocumented webpage that was a security hole and using that to collect email addresses they then used to embarrass AT&T. He face YEARS in prison. The CFAA is vague on its face.
USA don't appear to be worried about letting such things as jurisdiction and sovereignty of other states interfere with their application of various USC.
tptacek's post (http://news.ycombinator.com/item?id=4812735, '[located outside the United States but using it in a manner that affected interstate or foreign commerce or communication of the United States];') and other info on the statute appears to show that the law is extended to those that cause detriment to US trade from anywhere.
Are you reading this blog? If so, you are committing a crime under 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s because I did not explicitly authorize you to access this site, but you accessed it anyway. Your screen has a resolution of 1280x800. I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information.
Jesus, Rob. You know this isn't true. Under the CFAA, you can't simply declare your blog "off limits" and then press charges. I have to access the site with the intent to commit fraud. And my access to your site has to further that fraud.
Although I'm not sure how important intent alone is, I don't believe that intent to commit fraud specifically is the only or even primary factor.
The Wikipedia article about web scraping [1] is quite interesting though very much just a start; it becomes pretty complex when you look at some older rulings such as Feist v. Rural [2] or (especially) Dastar v. Twentieth Century Fox Film Corp. [3].
Then you start thinking about how some of the more recent "click-wrap" agreements play into things... To me they seem unrealistic and/or unenforceable, but it even more complicated when you factor in that the 'protected contents' might be public domain or otherwise potentially preempted by copyright, etc...
It's definitely an evolving area of law. And an area of law that I really enjoy as a 'hacker'. I just hope for continually positive legal evolution...
In the general case, the government must prove beyond a reasonable doubt that the unauthorized access to the computer system was in furtherance of an actual fraud that produced something of value for the accused.
The additional crimes chargeable under the CFAA are:
* Access to state secrets
* Access to financial records or to "protected systems"
Hmm... No. A "protected computer" can be simply "a computer which is used in or affecting interstate or foreign commerce or communication", which includes pretty much anything nowadays as long as some money changes hands, some Google AdWords on your blog ought to be enough.
> In the general case, the government must prove beyond a reasonable doubt that the unauthorized access to the computer system was in furtherance of an actual fraud that produced something of value for the accused.
That is 100% false, and I'm calling you out as having simply made it up. Fraud is NOT required, take a look at 1030, we can quite clearly read:
"Whoever - (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (C) information from any protected computer, shall be punished as provided in subsection (c) of this section"
The only case anyone can cite where someone's been charged on bare unauthorized access under 1030(a)(2) on the auspices of a TOS violation to "any computer connected to the Internet" was overturned. The precedent we have says you cannot in fact be convicted for this thing that Rob thinks you can be convicted for.
Nobody is making anything up. On either side of the argument.
I seriously don't care about the fine point we're hung up on here. 1030(a)(2) is a bad rule, at least until we fix the definition of "protected computer". There's no underlying political disagreement about whether the statute reads as reasonable, even though in practice it does not mean the thing Rob thinks it means.
My only investment in this debate is that it's clear that most people on HN think that the unreasonable part of CFAA is how they determine "unauthorized access", and that incrementing a number in a URL to harvest information should be fair game. There, I care a lot. People skilled in the art can make a convincing argument for lots of vulnerabilities being so trivial they can't reasonably constitute unauthorized access. That's not how the law works and it's not how the law should work. When Rob says that the problem with the law we have is that it's too easy to make a case that access is unauthorized, Rob is wrong. He's wrong in the specifics: you won't be charged and couldn't be convicted for reading his blog. He's also wrong in principle: the problem with the CFAA, such as it is, isn't that it's too easy to make "unauthorized access".
Completely agree - the issue here is absolutely the definition of "protected computer".
That said, I'm curious which specific case you're referring to in your first paragraph - and which court it was in.
I've done a fair amount of research into this type of case law and, from what I've seen, it seems like things have gone both ways in various different courts. As far as I know there is no binding precedent, at least not from a higher court, but I'd love to be wrong on this.
Seeing as this comment may end up lost within this thread, feel free to shoot me an email directly (available on my profile).
I wasn't responding to Rob's remarks, I was responding to yours. Don't use Rob as a straw man. Also I didn't say "any computer connected to the Internet", that's also a straw man.
> I seriously don't care about the fine point we're hung up on here.
... and that's why you're getting your facts wrong.
You don't know much about the case. I think the case was weak, but "no evidence" is something you can trivially refute. Just look up the two indictments.
I believe the specific charge was "Access to financial records or to 'protected systems'". Unlike a blog which is not protected, the AT&T data was behind a login system.
It wasn't behind a login system, and the indictment did IIRC make reference to AT&T's computers meeting the definition of "protected". But they charged fraud and conspiracy.
I see lots of IRC conversations about things the defendants, Auernheimer and Spitler, could do with the email addresses they were getting... but no concrete plans to actually do those things. Yes, the downloading of the addresses itself was an overt act, but I see no overt act alleged that specifically reveals fraudulent intent or acts in furtherance of a plan to commit fraud. The only overt acts alleged, other than the downloading itself, were (1) they sent some email messages to some of the victims, and (2) they gave all the email addresses to Gawker. I see nothing in here alleging concrete steps toward extorting the victims, or stealing their bank accounts, or deceiving them in any way, or indeed anything by which they would actually profit. Again, they discussed various possibilities, but I see no evidence here that they actually undertook any of them.
I'm sure it didn't help their case that they figured that what they were doing was illegal or at least tortious, and that they attempted to destroy evidence.
But the crux of your response to Rob is that they had the intent to commit fraud, and frankly, reading this indictment, I still don't see any evidence of that beyond some IRC banter.
There's also, seems to me, an odd circularity to the government's argument. They're alleging conspiracy, and among the overt acts that demonstrate this alleged conspiracy, they include the scraping of the email addresses. But the crime that that overt act is supposedly in furtherance of is... conspiracy. Seems to me this recursion is missing a base case :-)
Count 2 of the indictment has a slightly different thrust. Even though it's titled "Fraud in connection with personal information", it references USC 18 § 1028 (a) (7), which says: "Whoever ... knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law [shall be punished, etc.]." What they seem to be saying here is that the ICC-IDs themselves count as a "means of identification" and that the fraud consisted simply of using said IDs to access the AT&T accounts. But this is also circular. The "unlawful activity" is the violation of the CFAA itself. The demonstration that the CFAA was violated rests on the assertion that it was violated.
If this indictment reflects the strongest arguments the prosecution has, I must respectfully disagree with this jury.
> But the crux of your response to Rob is that they had the intent to commit fraud
No, the crux of his response is that the government alleged fraud, and so using the case to claim that just accessing a site is a federal crime is at best hyperbole. Whether or not the allegation of intent to commit fraud is accurate or not is not relevant fo that argument.
I don't quite agree. While the (relevant clause of the) statue does indeed require the intent to commit fraud, arguably a bit of sophistry by the prosecutors allowed them to sidestep the intent of that requirement in this case. If the law is written and interpreted in such a way as to make that possible, I think it's fair to say there's a problem with the law.
It's a little of both, right? They charged conspiracy and fraud. The conspiracy charge was indeed rooted in 1030(a)(2), which is the hotbutton issue on this thread.
I think one thing that is happening here is that we're getting our wires crossed between Rob's post, which says you've committed a crime by reading his blog but that's OK because he committed a crime by sending you Javascript and that post is simply incorrect, and the Auernheimer case from yesterday which is not nearly as cut and dry.
Rob is wrong. But even I think the Auernheimer result is shady; I think "unauthorized access" should be cut and dry (if you know you're not supposed to do something with someone else's computer system and you do it anyways, that's unauthorized access), but the conspiracy charge is shady, the allegation of fraud is extremely shady (they were spitballing about the impact of what they found, not planning an elaborate fraud), and using 1030(a)(2) + conspiracy to avoid confronting those issues is also shady.
Nope. You're committing a violation of Federal law if you access any protected computer (a protected computer is one used in interstate commerce, which is to say any computer connected to the internet), you do so without authorization or exceed your authorization, and you obtain any information whatsoever from that computer. Read it yourself.
For the most part he CAN declare his blog off limits and press charges. Except that Federal prosecutor has to decide to press charges, not the individual.
Note tptacek: you should understand there are several different sorts of crimes criminalized by this statute, and fraud is only one of them, and for the other ones, no fraud is required to have occurred. Read carefully.
My apologies. My pretending to be a lawyer via google is stupid. 1030(a)(2)(c) seems really terrifying, obviously there is formal language in the text "Whoever—
(2) intentionally accesses a computer without authorization and thereby obtains -
(C) information from any protected computer;
obviously includes formal language that means something i don't understand.
1030(a)(2)(C) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer; shall be punished as provided in subsection (c) of this section.
Under the statute, a "protected computer" generally means any computer connected to the internet.
Also, based on the legislative history, "obtains information" has been read to mean "merely observing" information.
The only issue is "without authorization." Based on its plain meaning, the law could mean that you need affirmative authorization to access any website.
Obviously, that's a real stretch, but there was a case decided by the 1st Circuit Court of Appeals [1] that held a company liable for using a web scraper - where the court said the defendants exceeded authorized access based on the website's boilerplate copyright notice.
IANAl but putting up a website implies granting certain kinds of access. This is common knowledge and common practice. The foundation of Common Law (the basis of our legal system) is "what would a reasonable man do?"
The federal government has plenary authority to regulate interstate commerce. Federal law generally overrides common law to the extent its unambiguous.
It's true that Judge Kozinski in the 9th Circuit said he would not "apply a badly drafted piece of legislation to lead to [an] absurd result."
But the issue is not cut and dry.
Kozinski essentially acknowledged he was interpreting the statute in a manner possibly at odds with its very language. These courts get reversed all the time (over 70% of their cases) - and other circuits have read the law more narrowly.
And the government itself supports a narrow reading of the law.
OP's article is over the top. My point is, the "authorization" part of the law appears extremely broad and as the DOJ puts it: "the case law on this issue is muddy."
Federal law itself resides on common law. (It's more fundamental than the constitution. Ever heard of habeas corpus? Due process? Rules of evidence? Trial by jury? Precedent? Think Magna Carta.) In earlier the linked article Oliver Wendell Holmes is quoted on the importance and nature of the reasonable man.
I'm not a lawyer either, but I am in my 3rd year of law school - so yes I've heard of all those things. I've also studied the CFAA.
Common law is judge-made and only governs in the absence of statutory authority. (Due process and trial by jury are constitutional laws). The reasonable man is primarily a negligence standard.
Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws[1]
It was written by the Congressional Research Service and is well suited for non-lawyers. It is all of 9 pages including cover material and is the tl;dr version of the 97 page:
Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws[2]
No, jellicle. That's Bullshit, informed more by your political biases than any kind of fact.
You can't just focus on statute and ignore precedent, because precedent defines the standards for statutory interpretation. So many people on HN look at the statute and think that's the whole law, and then assume that any arguable interpretation of said statute is legally binding. This is absolutely not the case.
What is the relevant precedent in this case that helps clarify what the law means? Is there precedent that says that you have to commit fraud to be convicted? Or that making a website public always constitutes authorization? What about if the website is publicly available, but the url isn't published, so you'd be required to guess the url to access it. Anyone know what the relevant case law is in that scenario?
Edit: Actually, the EFF page that tptacek linked to earlier mentions the US vs Drew case, where they charged that a person was "unauthorized" simply by being in violation of the MySpace terms of service, but the court instead ruled that they were not unauthorized because the law itself was too vague ("the absence of minimal guidelines to govern law enforcement"), and because the terms of service weren't prominent enough.
There's a lot of confusion in this thread. The courts agree that accessing any internet computer in excess of any sort of actual access restriction is a crime. There was a question - can this be stretched to fit violations of terms of use? That is, a user unquestionably (in the case at hand) has 100% access to read and write on a particular forum, unless they post hate speech (private terms of use of the forum). Now they post hate speech. Does this TOU violation constitute a Federal crime? And the courts seem to be coming down on the side of no, despite the language of the law that would seem to say yes. It's just a little too much of a stretch for the courts to make any TOU violation into a Federal crime.
On the other hand, violating any sort of unambiguous access restriction is clearly illegal. Suppose you start work at a new job. The boss tells you not to read the files in the "BOSS" directory on the webserver, which is connected to the internet and not password protected. You read them. Have you committed a Federal misdemeanor? Yes. No court disagrees. Many people have been convicted and sentenced to prison terms for extremely similar behavior (often involving employees who take files with them when they leave employment, or similar).
> I have to access the site with the intent to commit fraud. And my access to your site has to further that fraud.
Did you read the post? That's not the case, which is exactly the problem. If you access a web site that is publicly available, not behind any login system, but happen to embarrass a large company by doing so (like they mistakenly made it public) then you go to jail. That's why it's so unbelievably stupid and has to be fixed, hence his post.
<i>"intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer"</i>
It doesn't say "intent to commit fraud" or even "intent to obtain information". It just says "intent to unauthorized access". Negligence and recklessness count as intent, so accessing a computer without caring whether you had authorization or not is still "intent".
When the CFAA was written in 1986, all access to computers was explicitly authorized. Then the web happened, when people started recklessly accessing computers without caring whether they were authorized, and everyone was in technical violation of the law.
INAL, but i as a reasonable person would compare a website to a business/restraunt that is open to the public.
A member of the public can enter and look around the area that is obviously designated as public. There are areas in the restraunt that is marked "staff only" - some may have locks, some may not. But anyone who is not a staff entering those areas (whether they broke the lock, or just opened the door coz it was unlocked) is trespassing.
Now, imagine a website in the above scenario. If the administration area of the website is "unlocked" and a user "stumbled" into it, is it still a crime?
As a professional non-lawyer, the problem I see in your comparison is that he requested the data, and was given it. He did not just enter the door. He knocked on the door, and a staff member opened it up for him.
Oh boy, a restaurant analogy. How about this. He was looking at the five cheese pizza on the menu and thought "what do I get if I order a seven cheese", did so, and they brought one out to him. No 'staff areas', just ordering a normal meal that's not on his menu.
I would compare a website to an answering machine; it is a lot closer to what is happening. I dial your number, I get your answering machine, and now I can interact with that answering machine. Same with a website -- I direct my browser to it, and I get to ask it for information, and it is your responsibility to ensure that nothing I send will cause information to be leaked.
See, the problem with laws like CFAA is that they are based on the premise that there is "nothing" a bank could do to prevent hackers from accessing their computers without permission. At no point did anyone stop to say, "Maybe computers that process billions of dollars in transactions every day should not be plugged into the public phone network or Internet until we have some good reason to think those computers cannot be manipulated by hackers;" instead, the thinking was, "Hackers are evil wizards, nobody could possibly protect themselves from hackers, so we should make a law that allows us to throw the evil wizards in prison!" The idea that AT&T should be blamed for leaving customer data out in the open like that is not even on the table (strangely, if AT&T left a binder full of personal information unattended on a table in a public park, and labeled the binder "DO NOT OPEN," they would probably be the target of a successful lawsuit).
This is a very naive understanding. The statute was intentionally modified from "knowingly" to "intentionally" and the reasons for this change are a matter of public record. It was to explicitly decriminalize accidental or careless unauthorized access. Any judicial review takes such documentation into account.
This article is an uninformed rant spreading FUD in the pursuit of a personal goal and it doesn't deserve the attention it is receiving any more than the garbage legal scaremongering for which SCO was notorious.
Also it's "proof of concept" fails to identify screen resolution so not only is the author a failure at reading the law but also at writing working code.
The entire U.S. legal system is based on a principle of "acting in good faith" and interpreting laws from the point of view of a "reasonable observer." If you choose to ignore these two principles, every single sentence of every single law can be convoluted to have an enormous range of meanings. That's not what the law is about -- it's not just about the letter, it's also about the spirit.
Sometimes judges and juries screw up -- maliciously, or otherwise. Most of the time they don't. It sucks, but it's the best system we've got.
That's not to say that the legislators shouldn't try to make laws clear and unambiguous, but they have a lot on their plates and patching a hole in a 1986 legislation that doesn't seem to actually harm anyone isn't high on their priority list.
You know, I think we as programmers have a tendency to want everything to be well-defined, and that can sometimes turn tedious. In this particular case, that's what the OP is doing. Congress simply isn't capable of writing these laws fast enough to keep up with the technology, nor do I think it's preferable ("The citizens of Utah will not stand for oauth2-based authentication! Only SOAP will do!").
This is what we have courts and an executive branch for: the law can really only provide broad guidelines. It's up to the other branches to apply these principles in practice.
except that the wording of the law allows for application in which unfortunate individuals can be prosecuted, but the reason for the prosecution isn't due to the fact that their action has harmed society at large, but might have harmed an important individual or entity. In other words, they can be applied unfairly, and this gives power to entities that have lobbying power over the citizen, with no recourse for the citizen.
Please don't encourage the government to try to update legislation for the world as we currently know it, because that will be woefully out of date in just a few years, and same for something enacted a few years from now, etc. By pointing out what needs to change, they won't remove the law- they will try to update it. The best thing to do is to know how to defend yourself against the existing law so that you can fight it if and when you it affects you. It seems currently that the most obvious defense is that it is unclear. I'm not sure how well that would work, but odds are good that you won't have to defend yourself anyway.
What Rob Graham is saying is very similar to the situation for many years with the Computer Misuse Act 1990 in the UK. It took the conviction of someone for not hacking for the establishment to realise that the law indeed was an ass and needed to be changed, and several years for the amendments in the Police and Justice act to kick in that provided much needed background, sadly at the cost of what are referred to as "dual use tools", such as your web browser.
Are you referring to the guy who was convicted for accessing his bank's site with lynx (or similar)? I remember a story like that but this [1] is basically all I turned up. I'm sure I read more than that originally. Do you know more about it?
Yes, that's the one. Yes, I know the guy in question personally. He's an extremely well respected security specialist who unfortunately got the full kafkaesque treatment[1].
It's always bothered me that laws can be so vague such that, in advance, there's no way for you to know if a particular action of yours would break the law or not. You literally have to do it, wait to see if you're charged, and then wait for a judge/jury to decide which side of the law you fall on. It seems so unfair that law should ever be a gamble.
I've always wished there could be some kind of government agency you could go to, where you would lay out exactly what you would like to do, and they will explicitly decide in advance, and it would even set judicial precedent. Maybe you would have to pay the fees for lawyers on both sides and judge (so it wouldn't be cheap) no matter what the outcome, but if your actions were found to be legal in advance, then that would be binding, and there would be zero risk to your actions.
Every government regulatory agency already does this. This is why we have millions of pages of regulations. For example (not exhaustive), the IRS, Immigration, and Labor departments lay out exactly how to follow the statutes, and set judicial precedent in their administrative courts.
The flipside to this is that there is so much information that people don't know that their questions have already been answered.
Despite the assertions of tptacek, there is no requirement for any fraud to occur for a crime to have occurred. This is a pretty important thing for computer people to understand, and it's really unfortunate that one knucklehead vehemently asserting false facts has ruined this whole thread.
Essentially, anything you do exceeding authorization to a computer connected to the internet is potentially a U.S. federal crime. Anywhere in the world. No fraud need be proved. For example, here are the elements of a crime under 1030(a)(2):
1030(a)(2) Summary (Misd.)
1. Intentionally access a computer
2. without or in excess of authorization
3. obtain information
4. from
financial records of financial institution
or consumer reporting agency
OR
the U.S. government
OR
a protected computer
So if the government can prove these things: you intentionally accessed a computer; without or in excess of authorization; obtained any information at all; and it was a computer connected to the internet, then they have successfully proved that you violated 1030(a)(2). Numerous whistleblowers have been charged with violating this law, including Bradley Manning; at least one "cyberbullying" case has been charged under it, etc.
NO FRAUD IS REQUIRED. You can shouldersurf someone's password, log in as them, type "ls", log out and never use that password again - you've violated that law.
Every person working with computers in the U.S. or anywhere the U.S. can reach with its laws should have this engraved along the top of their keyboard.
you're skating over a bunch of precedent about what constitutes authorization (and indeed fraud, but that's another story). I'm not committing a federal crime right now because the free accessibility of Rob's blog post or this comment thread on HN, free of caveats, provide implicit authorization to the viewer.
Normally I would go and dig up a bunch of supporting material to justify this assertion, but your blanket assertions and dismissal of other posters as 'knuckleheads' tells me that it's simply not worth the effort. Flagged.
> You can shouldersurf someone's password, log in as them, type "ls", log out and never use that password again - you've violated that law.
I am not disagreeing with you, but in your example, wouldn't the part I have emphasised technically be fraud in some letter of the law way, because you have represented yourself as them to the computer?
Despite the assertions of tptacek, there is no requirement for any fraud to occur for a crime to have occurred. This is a pretty important thing for computer people to understand, and it's really unfortunate that one knucklehead vehemently asserting false facts has ruined this whole thread.
I agree, you should stop embarrassing yourself. Multiple lawyers, including practitioners in this field, are discussing in depth why you are completely wrong. Fraud, it should be noted, is only one of the possible violations--there are others. But tptacek's point was that the intent to commit one of these violations is necessary (and that specific intent determines which charges apply. As you can clearly see from the statute, intent is an element for every one of these charges http://www.law.cornell.edu/uscode/text/18/1030.
You can shouldersurf someone's password, log in as them, type "ls", log out and never use that password again - you've violated that law. That's not fraud. That's accessing a protected system, which is a separate charge. It's a problem if you don't have permission, express or implicit, for that access.
The "intent" is "intent to access a computer". It's not "intent to commit a crime".
If I am unconscious, and someone lifts my hand up and uses my fingers to type in a password, I didn't have intent to access a computer - I am not guilty of a crime. But if I intentionally struck keys on my keyboard, knowing that I was striking keys on my keyboard - that's intent. I do NOT have to know that it's a crime or intend to commit a crime.
Some crimes do have specific intent elements, where the person must be proved to have intended some specific result. This isn't one of them.
> tptacek's point was that the intent to commit one of these violations is necessary
No, to be clear, tptacek is saying that fraud is necessary for any conviction under 1030(a). That's false. You're saying that intent to commit a crime is necessary for any conviction under 1030(a). That's false too.
It's you and tptacek vs. the DOJ's cybercrimes manual. Good luck!
You do realize of course, that the manual is about what the DOJ is going to take a position as, and has little to no bearing on how a court will actually interpret the law?
Yes, it makes legal citations, but so do the US PTO guidelines. It's like reading one of the briefs for a supreme court case and declaring that's what the law is.
Like any legal brief, it's just a glorified policy position with legal citations instead of study citations.
If you want to know what you may get arrested for, sure, it's great.
If you want to know what you may get convicted of, it's near worthless.
The first one would be very hard to solve anyway. Most laws don't specifically prevent arrest for minor violations, and at least right now, you can almost never prevent the police from arresting you for something (in most cases, they don't actually have to tell you why they are arresting you, only that you are being arrested. They can charge you with something different than they tell you anyway).
That's specifically not what I said. You can look at the timestamp on this comment and the timestamp on the comment where I listed the 1030(a) crimes to see that. This argument is invalid on its face; it's a straw man.
The core of your argument is that Rob is right that there's a chargeable offense happening when you read his blog, because the 1030(a) statute is so vague. That's just not true. There's specific precedent for why it's not true.
If you want to refine your argument to say that 1030(a)(2) (plain unauthorized access) and 1030(e)(2)(b) ("protected computer") are unconscionably vague and leave too many people exposed to frivolous prosecution, we agree, modulo that I think we diverge on the fact that nobody's going to be convicted in those prosecutions without an allegation of fraud to accompany it.
Your blog post is visible to the public internet. IANAL, but my first argument as the defendant would probably be to point out that that's implicit authorization to access, as is the act of accessing an implicit authorization for you to run Javascript. I could see an argument against the second w.r.t. the option to disable Javascript not being clear or well-known to most people.
and it's really unfortunate that one knucklehead vehemently asserting false facts has ruined this whole thread.
What is it with Hacker News lately? I've never whined about the quality of community before, but this trend is beginning to worry me.
Further bellow you can see someone else saying that your arguments are "bullshit". Then there was this submission the other day stating that "Stephen Elop is so full of shit". Not even "full of it" -- no, it's like that "Madagascar" quote: "Well, of course we're going to throw poo at him!"
I often state my position quite bluntly when I disagree with someone, but personal insults are a different story. (Not that I haven't made that mistake ever, but you make a mistake and you learn from it.)
Honestly, I don't know what I might achieve by writing this, but there's a small part of me that harbors hope that things might change. It doesn't hurt anyone to maintain a modicum of civility, people.
I read things like "knucklehead" as an expression of frustration, and I'm aware that being on the other side of an argument about the legalities of hacking --- OK, I'll own it, being on the other side of any argument with me --- is very frustrating. Yesterday wasn't a banner day for me on HN; I was chasing down emulator bugs and every time I fixed one I'd procrastinate for another 30 minutes to avoid digging into the next. I think I created a lot of frustration in the process.
Not to make it about me; I'm just saying, there are message board pathologies that are as annoying as "knucklehead" but not as obvious, so let's not single them out.
The problem with this post is that it isn't going to convince anyone that doesn't already agree with you. I swear to god that I am on your side. I'm a nerd. I'm pretty confident that what's being done to Weev is awful. You & I probably have mutual colleagues.
But this post made me less supportive of your cause not more.
You wont improve the standing of your argument in this manner. You'll only make regular people think you're crazy.
The posting of corporate earnings is a rather poor example. The law doesn't require you to personally trade on inside information, as an attempt to manipulate trading by furthering actual or false inside information is sufficient. A reasonable person, which is what I presume the standard is, could expect trades to be conducted based off early release of corporate earnings. Therefore, this example isn't really applicable to the authors primary point.
> A well-known legal phrase is “ignorance of the law is no defense”. But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between “authorized” and “unauthorized” access. We won’t know until if and when somebody tries to prosecute you.
This is a GOOD thing. The whole point is, there's no clear line between reasonable access and hacking. It's something which the courts have to figure out.
The Common Law is largely based on common sense, and precedent; and precedent is based on a previous judge's common sense. The three big rules for interpreting laws are the plain meaning rule (use the literal meaning), the "golden rule" (ignore the plain meaning rule if it's obviously stupid), and the mischief rule (figure out what mischief the lawmakers were trying to prevent).
A vaguely written law lets judges use their common sense. While I'm sure there'll be people who disagree with their interpretations, it's either that or black and white statues which simply won't work.
a vaguely written law also allows prosecutors much more broader power than intended, and thus this power could be abused for other purposes than serving justice (for example, to punish an individual unfairly for whistleblowing because they happened to have accessed the information via a channel that could be construed as breaking this particularly broad law).
The opinion is not only compelling, it is a brilliant example of law at its best, for it shows how a wonderful legal mind wrestles with a knotty problem that can be summed up with the question, "Should courts apply a badly drafted piece of legislation to lead to the absurd result of criminalizing a whole host of minor misdeeds committed by individuals every day in using the web and their computers?" Judge Kozinski answered this question with a resounding "no."
He did so by applying the "rule of lenity," which requires "penal laws . . . to be construed strictly." (at p. 3872) "The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals." Applying this rule, he held as follows: "Therefore, we hold that 'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use." (emphasis in original)
In other words, though the CFAA is so badly worded that one might potentially give it an absurd and unconstitutional interpretation so as to criminalize things one would think shocking for Congress to have criminalized, the courts have the power to apply well-established rules of statutory construction so as to avoid such an absurdity. Here, the Ninth Circuit did so by construing the CFAA to criminalize violations of access restrictions (i.e., hacking) and not violations of use restrictions (terms of use on website and the like).
Now, there is a split in the federal circuits on this issue and it will either be resolved by an amendment to the statute or it will eventually find its way to the Supreme Court for resolution. But, even granting the split, the most extreme cases in which the CFAA has been applied criminally have involved things such as employees misappropriating trade secrets and other items that go far beyond innocuous things such as violating an employer's computer use policies by surfing the internet on company time.
In other words, no court has gone so far as to adopt anything close to the absurd outcomes suggested in this piece. Even the government in its arguments to Judge Kozinski strongly stated that it would never consider prosecuting such items as crimes. ("The government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations. But we shouldn't have to live at the mercy of the local prosecutor." at p. 3870)
Thus, it is fit and proper to call out the alarmist tone of this piece as being wildly outside the mainstream of where the courts have gone with the CFAA and of where they are likely to go. Is it badly drafted legislation? Yes, it is a mess (if you want to lose your mind, try reading through the text of the statute here: http://www.law.cornell.edu/uscode/text/18/1030). Can it be interpreted to criminalize things that Congress might not have intended to criminalize? Yes, including acts by employees that, though wrongful, may not have been within the contemplation of Congress when it passed the statute. But, that said, is there a risk that the CFAA can be applied to criminalize our daily interaction with computers and the web? No, not unless normal, sound principles of law are wholly disregarded by the courts, which they won't be.
> Pardon me if I'm missing something here, but doesn't the post exactly say that that has what weev has been charged for?
weev's actions are a gray area. I don't think that convicting him under the CFAA is absurd. It might be unreasonable or unconstitutional, but there's a valid security issue at stake. To liken weev's actions to viewing a deliberately published-for-public-consumption blog post is a false equivalence: and precisely what makes the piece alarmist.
I disagree that it's a one-off case. This case now sends a chilling effect to all security researchers. Next, what if a stock broker finds a press release on a web site that was published early, and makes money from it? What if a blogger finds a leaked photo of an unannounced product? The point is that they took a law that was meant to prevent you from hacking past security measures to get into a private computer, and successfully applied it to data posted on a public web server, and that is ridiculous, regardless what his intent was to do with the data.
You "disagree that it's a one-off case", but the comment you've replied to did not claim it is a one-off case. Nor did the comment you reply to dispute that it may have chilling effects. Who exactly are you disagreeing with?
No. He's saying that the court would not use 18 USC 1030(a) to charge someone of a crime when they did something completely normal and innocuous but which was technically against the language in 18 USC 1030(a) because it was poorly drafted.
He's saying that the courts can make distinctions between what Congress intended (to make it illegal to bypass computer security systems without permission), and what the law might technically forbid but what is completely normal and innocuous to do (like browsing someone's website without their explicit permission).
I thought weev was charged (and convicted) for hacking at AT&Ts website and extracting a bunch of people's personal information? He was certainly not engaging in what you would call "ordinary behavior."
Now, is this something that I, with a bit of idle time, curl, and awk might have done on a lark - yup. Does it scare me that I then might have been found guilty of criminal behavior? Yes. Would I have done something like publish people's personal information on Gawker? Not anymore. Would I let AT&T know personally that they had a security hole? Probably not - likely to be the messenger that would get shot. Is the NET result of this that the bad guys, who keep quiet, and make use of this information for nefarios purposes now have free rein, because nobody will mention it to AT&T? Yes. Is the NET-EFFECT of this law a reduction in security and increased number of security exploitations? Yes. Should the Law be Fixed? Yes.
The information was available just by putting a URL into a browser and nothing more. Just change the number at the end to your iPad/iPhone ID, and the server will send you the user's information. There's no hacking or fraud involved.
Just because something is easy to do does not mean it should be legal. A person could walk into a business and find documents with private information that have been carelessly left in the open. That does not make it ok to take and publish them.
There are plenty of physical crimes that are easy to commit. For example, opening up someone's unlocked mailbox is technically a federal crime in the US (even if you don't take any thing and just put a leaflet there). Pointing out that a 'bad guy' could easily steal someone's mail by opening their mail box does not constitute security research.
Let's not use metaphors. This isn't about federally-protected mailboxes or taking information from a private place like an office. The information was already published when AT&T put it on their public web site. Weev's activity after that was publicizing and commenting on the data.
Not exactly. He also had to change the User-agent header.
Also: let's say someone accidentally exposes their password because it's on a post-it in the background of a photo. Clearly this is crappy security; clearly, at that point, information protected by that password is readily available until the password is changed.
The intent of the owner of the data does, in fact, count.
I'm not convinced that intent of the owner counts, but let's say it does. AT&T intentionally put the information on a publicly accessible server. They even distributed a script that fetched the data when it was requested, when users set up an iPad. So as far as "intent" counts, this data was intended to be accessed.
It's an ID, not an authentication token. If it helps, you can think of it as a username, not a password. It has to be transmitted in the clear or you wouldn't even know who you're talking about.
Doesnt have to be transmitted in the clear; that's exactly what TLS does; allows usernames and passwords to be transmitted with encryption so only the other party can recover them.
What he was doing certainly fell under the auspices of "hacking". I don't think there was any fraud. If you read my response, I make it clear it's the sort of thing I might have done if I had idle time on my hand. Well, except I probably won't anymore given the potential criminal sanctions.
Realistically, there isn't any legitimate reason for me to be doing this to AT&T's website anyways, other than idle juvenile curiosity (which I'll admit to having an abundance of).
> What he was doing certainly fell under the auspices of "hacking".
I really don't see how. He used the exact same query that AT&T's own script used. The server did not break, or expose any unexpected behavior - in fact it worked exactly as AT&T designed and intended for it to work. I don't think you can pin any of this on weev when it's clearly AT&T who screwed up and provided all their customers' data for the asking.
It was hacking because AT&T certainly didn't intend for people to be retrieving other people's personal information by randomly guessing ICCID numbers, and changing their User-agent header.
Look, I'm not arguing that this should be criminal behavior, and it certainly doesn't merit a jail term. I can't tell you how many times I've done stuff exactly like this - probably in the hundreds of times. Is it hacking when I paid $15 for a 1 week pass and then used curl to download 11 gigabytes and 10+ years of the American Journnal of Clinical Nutrition? Probably. But, to give all due credit to the AJCN, they detected my repeated queries, and redirected me to a page that asked me to wait 30 seconds between each query when doing bulk downloads.
So, there is a case where I wasn't doing the obvious (downloading through the web interface), "hacking", if you will, but the AJCN was clearly fine with it, they just wanted me to ease up a bit, and instructed me how to do so in a friendly way.
If weev is guilty of anything, it was not realizing that posting high-profile individuals names onto gawker was probably a Really Bad Idea (TM).
> It was hacking because AT&T certainly didn't intend for people to be retrieving other people's personal information by randomly guessing ICCID numbers, and changing their User-agent header.
I think the worst part about this is that it once again sends the message to companies that its OK to be this negligent. The law came in and fixed everything, the system works! Bad things were done, the bad people are in jail, full resolution.
I don't feel safer if every hacker ends up in jail. I feel safer when things are too hard to hack, or at the very least not brain dead easy to hack. This is very similar to Sony's response to repeated hackings of their customer's credit card numbers stored in plaintext: "We'll get those perpetrators!" instead of "oh we'll stop being ridiculously negligent now". The arguments of discouraging future hackers with harsh sentences don't work when 15 year olds are doing this all around the world. I want my information protected so that my money can't be stolen, not to receive retribution for it afterwards. If my bank left all the security boxes wide open for anyone to steal from, sure its still a crime to steal from them but I'd be much more pissed at the bank -- I pay them to keep that stuff safe!
I think we have too often come to accept crime followed by punishment as an ideal scenario, forgetting that sometimes there even exists the possibility of avoiding the initial crime in the first place.
Well, he addresses this in the article: "Even if we'll probably be found innocent, why take the risk? Better to keep quiet." That has a chilling effect, suppressing free speech and is generally harmful to society.
In addition, there's a whole grey area which he highlights and you disregard just by trusting the courts, which doesn't prevent you from getting arrested and sued with all the financial and mental stress those things entail.
The entire point of the courts is to address grey areas. Legislation will never be perfect, and will never be able to account for things on a case-by-case basis, and will never be able to keep up with change.
If you want better legislation, then you need to make sure the people writing it are well-educated in the areas you care about. This is the original purpose of lobbying.
And the entire point of the article is that this particular law is so full of grey areas that it's at best useless (in the sense of working for its intended purpose) and at worst actively harmful due to the chilling effect.
Since this law was passed in 1986 (according to the article), Hacker News, Google, and Facebook were started. I'm not impressed by the supposed chilling effect.
The article's claim about the chilling effect was, of course, highly specific to the author's personal area of expertise. This is based on something I can't comment on: that the details of weev's case are generalizable to all cybersecurity researchers. I don't know the details of weev's case; do you think it's generalizable? My quick Google yielded me a Wired article that ended with weev laughing about how it might be illegal and the likely possibility it would damage a legitimate business's stock price. Is that a thing all cybersecurity researchers do?
I mean, I agree that the law sucks. That's fairly self-evident here. But what, exactly, do you guys want done about it? "Oh no, something bad happened 26 years ago and I just realized it because of something that happened recently" is weak. Talk to the EFF. Talk to your Congresscritters. Ask other people to do so. Sound and fury signify nothing. If you feel so terribly chilled, explain it to the politicians and get some lawyers working on the problem. I'd suggest civil disobedience, but you probably don't have the courage to get arrested if you're busy being chilled.
Yes, it sucks to be a case study. Cancer patients go through it all the time: the result? LESS CANCER. That's what the courts are also for. You go up there and say, "My situation shows how this law is stupid." You take a beating as all the relevant details are dragged out and scrutinized so that they can be sure. And hopefully, they agree with you and set precedent that the law is, in fact, stupid and fewer people have to deal with it in the future.
Do you even know what a chilling effect is? What does the appearance of Google or Facebook have to do with it?
I'm not personally scared, but I understand what the problems with this kind of laws (bad, vague ones) are. The problems almost disappear when everything works as expected.
The real problem which you ignore is that laws of this sort give the authorities a big loophole for abuse (which probably is not what has happened to weev, but that's not what I'm discussing.) If you think that's not a worry, I envy your worldview.
That said, I fully agree that more formal action should be taken, contacting EFF and congressmen and whatnot. But writing about it can motivate people who were not in the know to act, it's not just empty "sound and fury."
This is the best of our system (a check on the legislative more effective than re-election every 4yr) and the worse (having to know about this decision, i.e. hire gaggle of expensive experts to find the "get out of jail free" decision for you. And, whether you are a criminal depends on your geographic (which circut) and temporal (has it been resolved by SCOTUS yet) location.)
Rather than having knowable, deterministic laws we are all at the mercy of the lawyers and judges we happen to get that "day".
i look forward to the day when a law is written in a formal language (such as mathematics), such that a machine can be used to apply it, and that no ambiguity exists. Thus, you can a head of time, tell if a deed will break any existing law before performing the deed.
I vaguely remember there was some discussion of this in 'Metamagical Themas' by Douglas Hofstader. It's been a while since if I read it, but if I remember correctly he drew some parallels between law and provability in maths - basically, you can either have a system of law which cannot cover everything you want to make laws about, or you have a system of law which does, but which has some undecidable laws. Feel free to correct if I've misremembered.
You can take it a step further: until we can model human behavior mathematically, a legal system attempting to regulate that human behavior cannot be modeled in a mathematical way.
In other words, by the time we have consistent laws (in the mathematical sense), "Precrime" could already exist.
The "formal language of mathematics" is can only be read by those who have taken the time to understand it's symbols, syntax and grammar. Legalese generally also has very specific meaning, but without training "us mere mortals" fail to interpret it correctly too.
I guess that one positive impact of your idea would be moving mathematicians into the almost celebrity status of lawyers. They'd be fun to watch when interviewed too.
Here's an idea: if legalese is similar to mathematics in that without training we fail to interpret it correctly, couldn't we incorporate it in our education the same way we did with mathematics?
Just to be clear, I'm not proposing to teach kids to be lawyers. Being a lawyer would be like having a PhD in mathematics. But we do teach kids basic calculus, algebra and stuff like that, so why not "basic legal stuff" (whatever it's called)?
So, you're saying that's more dystopian than the thought of secret laws for 'national security', on top of a body of laws that already spans over 200,000 pages, whereby even with non-poorly-written laws, you're still likely breaking one every single day?
Because that's what we have now. So if those are my options, then shit yes, I will take mathematical certainty of the legality of my actions any day.
I'd argue that you really can't say anything with such certainty. If true friendly AI is ever possible (and that is up in the air), such a system would be a better one. Obviously, this is all speculation.
People are emotional and subjective by their very nature. It is not possible to be objective - one can only tend towards objectivity by applying constant introspection and reassessing one's world view. Nonetheless, an Ape is not capable of being a Vulcan. It is, frankly, a travesty that people's fates are being decided by other people's stomachs.
It's impossible to formally define a complete system of mathematics which is the most strict logical system out there. Yet you somehow expect laws to be formally be defined.
To address this and the comment from epo, obviously such a system is not possible.
I don't expect laws to be formally defined, I just expect them to be few, sensible, and transparent. Reasonable people shouldn't have a hard time inferring whether a specific activity is illegal.
Right now, our body of law is vast, complex, opaque and uncertain. Because of this, as I said above, most people likely break the law every single day. This gives rise to tyranny by selective enforcement (http://en.wikipedia.org/wiki/Selective_enforcement), burdened economies and reduced investments due to untested and protectionist regulatory regimes, and an overall reduction in freedom and civil liberties.
By contrast, yes, the knowability and certitude afforded by a hypothetical-but-impossible legal system based on mathematics would be preferable. This is really not a complicated idea.
“Corruptissima republica plurimae leges. [The more numerous the laws, the more corrupt the state.]” — Tacitus, the Annals ca. AD 69
Right now, our body of law is vast, complex, opaque and uncertain.
So's our society. Roman law was quite a bit simpler, but justice in ancient Rome was extremely unpredictable.
By contrast, yes, the knowability and certitude afforded by a hypothetical-but-impossible legal system based on mathematics would be preferable. This is really not a complicated idea.
As HL Mencken said, 'For every complex problem there is an answer that is clear, simple, and wrong.' Godel's theorem tells us that in any sufficiently expressive formal system (such as mathematics), you can have consistency or completeness, but not both. A hypothetical mathematically-precise legal system would thus yield cases that either couldn't be judged because there was no prescription for such a situation (a div zero problem, if you will), or else would yield contradictory results on the same facts at different times.
As computer programs show us, the only way to remove ambiguity is to be incredibly specific. In practice, this would mean laws that are very, very long, and have to revised very frequently.
Why? Because you can't formalize away the fact that humans can't think of everything ahead of time. We make laws about your rights regarding messages you write on paper, then telegraphs and telephones and email come along. Either you try to interpret the law to cover them, or you revise your definitions of "messages" to include or exclude them.
In a "specify everything" system, everything that the courts currently interpret would have to be sent back to the legislature. The effect would depend on what you do with gray areas in court.
Option 1 would be "if a case is ambiguous, put it on hold until the legislature clarifies the law." That would clog up the courts and effectively merge the court and the legislature.
Option 2 would be "decide cases based strictly on existing law and let the legislature revise things for the next go round." That would create a lot of absurd outcomes, where a small loophole, with no ability to apply "common sense", means innocent people are convicted or guilty people are freed.
Option 2 would almost be workable if you had a very streamlined system for implementing revisions, to prevent more than one individual from exploiting a loophole before it's closed.
Like a group of elected officials who's only job is to close these loopholes without massive fanfare and a simple vote. A process that is incredibly fast and decisive in order to get double digits done per day.
> A process that is incredibly fast and decisive in order to get double digits done per day.
Because, y'know, having officials crank through tons of difficult decisions per day is such a supremely effective[1] and corruption-free way to create a social process. It's worked so very well for the patent system, why not for law and jursiprudence?
If that's so, why do we give every one in the USA a black-and-white obligation to know and follow the law? Ignorance of the law is no excuse, we're often told. No slack gets cut for judgement most of the time.
On the contrary, it is our current system of allowing laws that are totally ambiguous that results in the poor situation we are in now. For example, the 2nd amendment is black and white. I have the right to bear arms and that right shall not be infringed. And yet how many laws are on the books making it an offense to bear arms?
New rule: (forall ?X (implies (and (isa ?X USCitizen) \
(locatedIn ?X UnitedStatesLegalJurisdiction)) (bearArms ?X)))
- Rule 2 added.
New rule: (thereExists ?X (isa ?X USCitizen) \
(locatedIn ?X UnitedStatesLegalJurisdiction))
- Rule 20 Added
New rule: (implies (and (locatedIn ?X ?Y) (isa ?Y USState)) \
(locatedIn ?X UnitedStatesLegalJurisdiction))
- Rule 21 Added
...
New rule: (isa California USState)
-Rule 1850-342 Added
...
New rule: >(forall ?Y (implies (locatedIn ?Y California) (not (bearArms ?Y)))
- Error: New Rule #4422 conflicts with Rule #2
Request Ruling:
(locatedIn JamieBriant224112344 California)
(bearArms JamieBriant22411234)
- Data is consistent.
The problem with our legal system is that it is expected that it is ambiguous. Those in power tell us that it is good for the law to be ambiguous. Yet what are the results:
1. You need a law degree to even practice - control.
2. The government can selectively prosecute - corruption.
3. Fear of losing, even when morally right.
4. Everyone is a criminal.
I do not believe we want such a system even if it were possible.
Many things involve context (it is illegal to murder someone, but a killing in the context of self-defense is often not murder). Even where context is not explicitly recognized by the law, we want judgment and discretion to exist (speeding because you are drag racing is very different than speeding to a hospital with a bleeding passenger.)
Actually, most people will never see the judge or be at his mercy. Most people accept the plea bargain they are offered. We literally do not have enough judges for every arrested person to exercise their right to a trial.
As always you bring great insight into this, but what your reply does not mention is that the average laymen knows none of this.
Having such a law on the books means that a boss, computer service provider, etc. could show a laymen this law, even let them look up the law themselves and then threaten to have someone prosecuted for things which may be proper (or at least not illegal). The person being threatened would be able to verify that the law was real and without having a lawyer to explain the full situation may feel they are in a very bad bargaining position for whatever demands the other side makes.
As the court said, "We shouldn't have to live at the mercy of the local prosecutor" but neither should people without lawyers have to live at the mercy of those who could use such a law to threaten prosecution for negotiating purposes.
When they have a law that seems on first reading to say what the employer says it does, then the employer can show it to the employee to gain credence and the law itself will confuse any employee who does a little research without going further.
More than that, the employer may not realize they are misrepresenting it when the law seems to say something. They may be misusing the law in good faith. Something that will happen less often with clearly written laws that are not heavily interpreted in the common law.
That sounds like bullshit. Posting link to Hacker News is not exactly how one protects access to his private information. Obviously, whatever is written on that page, the real intent of the author was to publicize the article, and his words in the blog that he is denying access is a lie.
Also, this is placed on a well known public blog, also submitted to search engines and other public catalogues, means that nobody in his sane mind would consider this a private place not intended for public visitors.
It is also a common practice, accepted by vast majority of users, that sites run Javascript in user's browser, and that some data - such as cookies, display resolution, etc. - is available to these scripts. If the site took some liberties outside of accepted practices common for Internet browsing - such as using a hole in the browser to read documents on my hard disk that I did not specifically upload to the site - then yes, the site author would be liable. But to scare me into believing what author intends me to believe, he better would find any court insane enough to interpret it this way.
> Your screen has a resolution of XXX. I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information.
Ha, ha, ha. My anti-JavaScript firewall has steadfastly deflected this individual's malicious attacks!
I'm committing a crime by (supposedly) breaking a law from a country I've never been to? I guess I should start wearing a hijab so I don't break Saudi Arabia's laws too.
From the title I assumed this was going to be about how we have such a volume of law that it's pretty inevitable that you're already breaking several, if not several hundred.
200 comments
[ 4.2 ms ] story [ 324 ms ] threadTrue. This is how a Common Law system works, and why rants about 'activist judges' who 'legislate from the bench' are so idiotic in (most parts of) the USA: That's a pretty fair description of how Common Law works.
The legislature writes laws knowing that they can't possibly think of every possible fact pattern, every possible scenario the law might be applied to, and the legislators expect judges to apply their judgement to apply the law, clarifying it in the process. They are active because the law was written to be applied by humans, and they legislate to the extent they effectively add interpretations and nuance to the statute law.
(The only part of the USA not under Common Law is Louisiana, which inherited its Civil Law system from France, which inherited it from Rome. AFAIK, the entire United Kingdom is under Common Law; the UK is, after all, where the majority of the USA got the Common Law from.)
That is know, but the arguing here is that the current legislation is way too vague. Is like a law saying: "Is illegal to be evil"; is haves a very subjective definition to have real-world implications and can be abused easily.
Because all, or nearly all, such rants are idiotic when you know how Common Law works.
EDIT: Obligatory shout out for https://postcongress.io/
http://apple.stackexchange.com/questions/59283/why-is-a-reti...
Like Al Capone for Tax. Cant get someone for real hacking, so these vague laws help along the way?
I'm coming to grips with the idea that law is mostly empirical and can only be falsified. Which means that, by design, you can't know if you are following the law or not.
You can almost think of the law just like you would a complex codebase. Unfortunately, we live in an age where the law has become so complex the average person can't keep it straight. I seriously doubt that this would change no matter how the law were refactored. The good news is that we do have a society where a concerned citizen can learn a lot about the law on their own. Thus, I would argue that the law is complex, but easy to approach if you want to become an expert on a particular module or subsystem.
No, it's not that this isn't what the law means. It's that this isn't what the law says. There are vague laws, and there are ambiguous laws, but you are way overstating your case here. Either that, or you have never read § 1030.
His blog seems to be used in foreign communication, it can be accessed from foreign countries. Does that make it a "protected computer"? I accessed his computer and received information. And I was never "authorized" to do so, except through the implied openness of the web, which the law doesn't seem to mention at all.
"Protected computer" is explicitly defined.
The defendant could also have been charged - in some other case - with 1030(a)(2), which is obtaining information from any protected computer without access. In that case, the government would not have to prove fraud.
Furthermore, regardless of whether the prosecution charges a crime that requires intent to commit fraud --- for instance, in the unlikely event that they tried to spin a yarn about a blog affecting interstate commerce --- CFAA crimes aren't strict liability. They must prove intent to exceed authorization.
http://en.wikipedia.org/wiki/Wickard_v._Filburn and subsequent cases: producing a product on your own, and thereby not engaging in commerce, is considered commerce.
(Also, this year's PPACA ruling detoothed the commerce clause's power. How much it did that is to be determined.)
That is flatly and totally wrong. Any computer connected to the internet is a "protected computer" for the purposes of this statute: full stop, end of story. Additionally, some computers not connected to the internet are protected computers.
It's possible that a blog on an intranet machine that is absolutely not accessible to the outside world could be argued not to be a "protected computer". Any blog routable from the outside world absolutely is.
Every blog in the world accessible from the internet is in fact being run on a "protected computer". Accessing any of these machines without authorization or exceeding authorization can in fact be charged as a federal misdemeanor.
This is not arguable. It's exactly what the statute says, it's exactly what the DOJ says, it's exactly what every court to consider the issue has said.
For example, here's a direct quote from one case: "the latter two elements of the section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met when an individual using a computer contacts or communicates with an Internet website".
Note the word ALWAYS. All that remains to be proven is that you weren't drunk or otherwise not in control of your faculties, and that you did it without authorization or exceeding authorization.
People take issue with me calling you a knucklehead. But you are making statements that anyone with a cursory knowledge of the law would know to be false, and you are making them repeatedly and refusing to educate yourself about it or to investigate in any way or to consider the possibility that you might be wrong.
tptacek's post (http://news.ycombinator.com/item?id=4812735, '[located outside the United States but using it in a manner that affected interstate or foreign commerce or communication of the United States];') and other info on the statute appears to show that the law is extended to those that cause detriment to US trade from anywhere.
Jesus, Rob. You know this isn't true. Under the CFAA, you can't simply declare your blog "off limits" and then press charges. I have to access the site with the intent to commit fraud. And my access to your site has to further that fraud.
The Wikipedia article about web scraping [1] is quite interesting though very much just a start; it becomes pretty complex when you look at some older rulings such as Feist v. Rural [2] or (especially) Dastar v. Twentieth Century Fox Film Corp. [3].
Then you start thinking about how some of the more recent "click-wrap" agreements play into things... To me they seem unrealistic and/or unenforceable, but it even more complicated when you factor in that the 'protected contents' might be public domain or otherwise potentially preempted by copyright, etc...
It's definitely an evolving area of law. And an area of law that I really enjoy as a 'hacker'. I just hope for continually positive legal evolution...
1 - http://en.wikipedia.org/wiki/Web_scraping
2 - http://en.wikipedia.org/wiki/Feist_v._Rural
3 - http://en.wikipedia.org/wiki/Dastar_Corp._v._Twentieth_Centu....
The additional crimes chargeable under the CFAA are:
* Access to state secrets
* Access to financial records or to "protected systems"
* Access to government computers
* Attempts to intentionally cause damage
* Attempts to commit extortion using the access
None of these apply to blogs.
> In the general case, the government must prove beyond a reasonable doubt that the unauthorized access to the computer system was in furtherance of an actual fraud that produced something of value for the accused.
That is 100% false, and I'm calling you out as having simply made it up. Fraud is NOT required, take a look at 1030, we can quite clearly read:
"Whoever - (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (C) information from any protected computer, shall be punished as provided in subsection (c) of this section"
It's there in black and white.
Nobody is making anything up. On either side of the argument.
I seriously don't care about the fine point we're hung up on here. 1030(a)(2) is a bad rule, at least until we fix the definition of "protected computer". There's no underlying political disagreement about whether the statute reads as reasonable, even though in practice it does not mean the thing Rob thinks it means.
My only investment in this debate is that it's clear that most people on HN think that the unreasonable part of CFAA is how they determine "unauthorized access", and that incrementing a number in a URL to harvest information should be fair game. There, I care a lot. People skilled in the art can make a convincing argument for lots of vulnerabilities being so trivial they can't reasonably constitute unauthorized access. That's not how the law works and it's not how the law should work. When Rob says that the problem with the law we have is that it's too easy to make a case that access is unauthorized, Rob is wrong. He's wrong in the specifics: you won't be charged and couldn't be convicted for reading his blog. He's also wrong in principle: the problem with the CFAA, such as it is, isn't that it's too easy to make "unauthorized access".
That said, I'm curious which specific case you're referring to in your first paragraph - and which court it was in.
I've done a fair amount of research into this type of case law and, from what I've seen, it seems like things have gone both ways in various different courts. As far as I know there is no binding precedent, at least not from a higher court, but I'd love to be wrong on this.
Seeing as this comment may end up lost within this thread, feel free to shoot me an email directly (available on my profile).
> I seriously don't care about the fine point we're hung up on here.
... and that's why you're getting your facts wrong.
I see lots of IRC conversations about things the defendants, Auernheimer and Spitler, could do with the email addresses they were getting... but no concrete plans to actually do those things. Yes, the downloading of the addresses itself was an overt act, but I see no overt act alleged that specifically reveals fraudulent intent or acts in furtherance of a plan to commit fraud. The only overt acts alleged, other than the downloading itself, were (1) they sent some email messages to some of the victims, and (2) they gave all the email addresses to Gawker. I see nothing in here alleging concrete steps toward extorting the victims, or stealing their bank accounts, or deceiving them in any way, or indeed anything by which they would actually profit. Again, they discussed various possibilities, but I see no evidence here that they actually undertook any of them.
I'm sure it didn't help their case that they figured that what they were doing was illegal or at least tortious, and that they attempted to destroy evidence.
But the crux of your response to Rob is that they had the intent to commit fraud, and frankly, reading this indictment, I still don't see any evidence of that beyond some IRC banter.
There's also, seems to me, an odd circularity to the government's argument. They're alleging conspiracy, and among the overt acts that demonstrate this alleged conspiracy, they include the scraping of the email addresses. But the crime that that overt act is supposedly in furtherance of is... conspiracy. Seems to me this recursion is missing a base case :-)
Count 2 of the indictment has a slightly different thrust. Even though it's titled "Fraud in connection with personal information", it references USC 18 § 1028 (a) (7), which says: "Whoever ... knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law [shall be punished, etc.]." What they seem to be saying here is that the ICC-IDs themselves count as a "means of identification" and that the fraud consisted simply of using said IDs to access the AT&T accounts. But this is also circular. The "unlawful activity" is the violation of the CFAA itself. The demonstration that the CFAA was violated rests on the assertion that it was violated.
If this indictment reflects the strongest arguments the prosecution has, I must respectfully disagree with this jury.
No, the crux of his response is that the government alleged fraud, and so using the case to claim that just accessing a site is a federal crime is at best hyperbole. Whether or not the allegation of intent to commit fraud is accurate or not is not relevant fo that argument.
I think one thing that is happening here is that we're getting our wires crossed between Rob's post, which says you've committed a crime by reading his blog but that's OK because he committed a crime by sending you Javascript and that post is simply incorrect, and the Auernheimer case from yesterday which is not nearly as cut and dry.
Rob is wrong. But even I think the Auernheimer result is shady; I think "unauthorized access" should be cut and dry (if you know you're not supposed to do something with someone else's computer system and you do it anyways, that's unauthorized access), but the conspiracy charge is shady, the allegation of fraud is extremely shady (they were spitballing about the impact of what they found, not planning an elaborate fraud), and using 1030(a)(2) + conspiracy to avoid confronting those issues is also shady.
For the most part he CAN declare his blog off limits and press charges. Except that Federal prosecutor has to decide to press charges, not the individual.
Note tptacek: you should understand there are several different sorts of crimes criminalized by this statute, and fraud is only one of them, and for the other ones, no fraud is required to have occurred. Read carefully.
The law is here: http://www.law.cornell.edu/uscode/text/18/1030
EFF's analysis of the law is here: http://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(C...
The Ninth Circuit's model jury instructions are here: http://www3.ce9.uscourts.gov/web/sdocuments.nsf/0/71dd91317b...
Read the government manual:
http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
You're filling this whole thread with disinformation. Stop it.
You can feel free to point to the part of the DOJ manual that rebuts me, too.
obviously includes formal language that means something i don't understand.
1030(a)(2)(C) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer; shall be punished as provided in subsection (c) of this section.
Under the statute, a "protected computer" generally means any computer connected to the internet.
Also, based on the legislative history, "obtains information" has been read to mean "merely observing" information.
The only issue is "without authorization." Based on its plain meaning, the law could mean that you need affirmative authorization to access any website.
Obviously, that's a real stretch, but there was a case decided by the 1st Circuit Court of Appeals [1] that held a company liable for using a web scraper - where the court said the defendants exceeded authorized access based on the website's boilerplate copyright notice.
[1]http://openjurist.org/274/f3d/577/ef-cultural-travel-bv-v-ex...
http://en.wikipedia.org/wiki/Reasonable_person
You can't parse sentences out of context and apply programmer logic to them, that's not how laws work.
It's true that Judge Kozinski in the 9th Circuit said he would not "apply a badly drafted piece of legislation to lead to [an] absurd result."
But the issue is not cut and dry.
Kozinski essentially acknowledged he was interpreting the statute in a manner possibly at odds with its very language. These courts get reversed all the time (over 70% of their cases) - and other circuits have read the law more narrowly.
And the government itself supports a narrow reading of the law.
OP's article is over the top. My point is, the "authorization" part of the law appears extremely broad and as the DOJ puts it: "the case law on this issue is muddy."
As for common law:
http://en.wikipedia.org/wiki/Common_law
I am still not a lawyer.
Common law is judge-made and only governs in the absence of statutory authority. (Due process and trial by jury are constitutional laws). The reasonable man is primarily a negligence standard.
http://online.wsj.com/article/SB1000142405311190406060457657...
http://www.amazon.com/gp/product/1594035229/
Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws[1]
It was written by the Congressional Research Service and is well suited for non-lawyers. It is all of 9 pages including cover material and is the tl;dr version of the 97 page:
Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws[2]
[1] http://www.fas.org/sgp/crs/misc/RS20830.pdf
[2] http://www.fas.org/sgp/crs/misc/97-1025.pdf
You can't just focus on statute and ignore precedent, because precedent defines the standards for statutory interpretation. So many people on HN look at the statute and think that's the whole law, and then assume that any arguable interpretation of said statute is legally binding. This is absolutely not the case.
Edit: Actually, the EFF page that tptacek linked to earlier mentions the US vs Drew case, where they charged that a person was "unauthorized" simply by being in violation of the MySpace terms of service, but the court instead ruled that they were not unauthorized because the law itself was too vague ("the absence of minimal guidelines to govern law enforcement"), and because the terms of service weren't prominent enough.
On the other hand, violating any sort of unambiguous access restriction is clearly illegal. Suppose you start work at a new job. The boss tells you not to read the files in the "BOSS" directory on the webserver, which is connected to the internet and not password protected. You read them. Have you committed a Federal misdemeanor? Yes. No court disagrees. Many people have been convicted and sentenced to prison terms for extremely similar behavior (often involving employees who take files with them when they leave employment, or similar).
Did you read the post? That's not the case, which is exactly the problem. If you access a web site that is publicly available, not behind any login system, but happen to embarrass a large company by doing so (like they mistakenly made it public) then you go to jail. That's why it's so unbelievably stupid and has to be fixed, hence his post.
<i>"intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer"</i>
It doesn't say "intent to commit fraud" or even "intent to obtain information". It just says "intent to unauthorized access". Negligence and recklessness count as intent, so accessing a computer without caring whether you had authorization or not is still "intent".
When the CFAA was written in 1986, all access to computers was explicitly authorized. Then the web happened, when people started recklessly accessing computers without caring whether they were authorized, and everyone was in technical violation of the law.
A member of the public can enter and look around the area that is obviously designated as public. There are areas in the restraunt that is marked "staff only" - some may have locks, some may not. But anyone who is not a staff entering those areas (whether they broke the lock, or just opened the door coz it was unlocked) is trespassing.
Now, imagine a website in the above scenario. If the administration area of the website is "unlocked" and a user "stumbled" into it, is it still a crime?
See, the problem with laws like CFAA is that they are based on the premise that there is "nothing" a bank could do to prevent hackers from accessing their computers without permission. At no point did anyone stop to say, "Maybe computers that process billions of dollars in transactions every day should not be plugged into the public phone network or Internet until we have some good reason to think those computers cannot be manipulated by hackers;" instead, the thinking was, "Hackers are evil wizards, nobody could possibly protect themselves from hackers, so we should make a law that allows us to throw the evil wizards in prison!" The idea that AT&T should be blamed for leaving customer data out in the open like that is not even on the table (strangely, if AT&T left a binder full of personal information unattended on a table in a public park, and labeled the binder "DO NOT OPEN," they would probably be the target of a successful lawsuit).
This article is an uninformed rant spreading FUD in the pursuit of a personal goal and it doesn't deserve the attention it is receiving any more than the garbage legal scaremongering for which SCO was notorious.
Also it's "proof of concept" fails to identify screen resolution so not only is the author a failure at reading the law but also at writing working code.
Sometimes judges and juries screw up -- maliciously, or otherwise. Most of the time they don't. It sucks, but it's the best system we've got.
That's not to say that the legislators shouldn't try to make laws clear and unambiguous, but they have a lot on their plates and patching a hole in a 1986 legislation that doesn't seem to actually harm anyone isn't high on their priority list.
This is what we have courts and an executive branch for: the law can really only provide broad guidelines. It's up to the other branches to apply these principles in practice.
[1] http://boingboing.net/2005/01/27/jailed-for-using-a-n.html
[1] - http://www.samizdata.net/blog/archives/008118.html
I've always wished there could be some kind of government agency you could go to, where you would lay out exactly what you would like to do, and they will explicitly decide in advance, and it would even set judicial precedent. Maybe you would have to pay the fees for lawyers on both sides and judge (so it wouldn't be cheap) no matter what the outcome, but if your actions were found to be legal in advance, then that would be binding, and there would be zero risk to your actions.
The flipside to this is that there is so much information that people don't know that their questions have already been answered.
http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
Essentially, anything you do exceeding authorization to a computer connected to the internet is potentially a U.S. federal crime. Anywhere in the world. No fraud need be proved. For example, here are the elements of a crime under 1030(a)(2):
1030(a)(2) Summary (Misd.) 1. Intentionally access a computer 2. without or in excess of authorization 3. obtain information 4. from financial records of financial institution or consumer reporting agency OR the U.S. government OR a protected computer
So if the government can prove these things: you intentionally accessed a computer; without or in excess of authorization; obtained any information at all; and it was a computer connected to the internet, then they have successfully proved that you violated 1030(a)(2). Numerous whistleblowers have been charged with violating this law, including Bradley Manning; at least one "cyberbullying" case has been charged under it, etc.
NO FRAUD IS REQUIRED. You can shouldersurf someone's password, log in as them, type "ls", log out and never use that password again - you've violated that law.
Every person working with computers in the U.S. or anywhere the U.S. can reach with its laws should have this engraved along the top of their keyboard.
Normally I would go and dig up a bunch of supporting material to justify this assertion, but your blanket assertions and dismissal of other posters as 'knuckleheads' tells me that it's simply not worth the effort. Flagged.
I am not disagreeing with you, but in your example, wouldn't the part I have emphasised technically be fraud in some letter of the law way, because you have represented yourself as them to the computer?
It's quite possible to violate 1030(a)(2) without any deception and without any financial or personal gain.
I agree, you should stop embarrassing yourself. Multiple lawyers, including practitioners in this field, are discussing in depth why you are completely wrong. Fraud, it should be noted, is only one of the possible violations--there are others. But tptacek's point was that the intent to commit one of these violations is necessary (and that specific intent determines which charges apply. As you can clearly see from the statute, intent is an element for every one of these charges http://www.law.cornell.edu/uscode/text/18/1030.
You can shouldersurf someone's password, log in as them, type "ls", log out and never use that password again - you've violated that law. That's not fraud. That's accessing a protected system, which is a separate charge. It's a problem if you don't have permission, express or implicit, for that access.
Does that constitute intent?
If I am unconscious, and someone lifts my hand up and uses my fingers to type in a password, I didn't have intent to access a computer - I am not guilty of a crime. But if I intentionally struck keys on my keyboard, knowing that I was striking keys on my keyboard - that's intent. I do NOT have to know that it's a crime or intend to commit a crime.
Some crimes do have specific intent elements, where the person must be proved to have intended some specific result. This isn't one of them.
No, to be clear, tptacek is saying that fraud is necessary for any conviction under 1030(a). That's false. You're saying that intent to commit a crime is necessary for any conviction under 1030(a). That's false too.
It's you and tptacek vs. the DOJ's cybercrimes manual. Good luck!
Yes, it makes legal citations, but so do the US PTO guidelines. It's like reading one of the briefs for a supreme court case and declaring that's what the law is.
Like any legal brief, it's just a glorified policy position with legal citations instead of study citations.
If you want to know what you may get arrested for, sure, it's great. If you want to know what you may get convicted of, it's near worthless.
The first one would be very hard to solve anyway. Most laws don't specifically prevent arrest for minor violations, and at least right now, you can almost never prevent the police from arresting you for something (in most cases, they don't actually have to tell you why they are arresting you, only that you are being arrested. They can charge you with something different than they tell you anyway).
The core of your argument is that Rob is right that there's a chargeable offense happening when you read his blog, because the 1030(a) statute is so vague. That's just not true. There's specific precedent for why it's not true.
If you want to refine your argument to say that 1030(a)(2) (plain unauthorized access) and 1030(e)(2)(b) ("protected computer") are unconscionably vague and leave too many people exposed to frivolous prosecution, we agree, modulo that I think we diverge on the fact that nobody's going to be convicted in those prosecutions without an allegation of fraud to accompany it.
What is it with Hacker News lately? I've never whined about the quality of community before, but this trend is beginning to worry me.
Further bellow you can see someone else saying that your arguments are "bullshit". Then there was this submission the other day stating that "Stephen Elop is so full of shit". Not even "full of it" -- no, it's like that "Madagascar" quote: "Well, of course we're going to throw poo at him!"
I often state my position quite bluntly when I disagree with someone, but personal insults are a different story. (Not that I haven't made that mistake ever, but you make a mistake and you learn from it.)
Honestly, I don't know what I might achieve by writing this, but there's a small part of me that harbors hope that things might change. It doesn't hurt anyone to maintain a modicum of civility, people.
Not to make it about me; I'm just saying, there are message board pathologies that are as annoying as "knucklehead" but not as obvious, so let's not single them out.
But this post made me less supportive of your cause not more.
You wont improve the standing of your argument in this manner. You'll only make regular people think you're crazy.
This is a GOOD thing. The whole point is, there's no clear line between reasonable access and hacking. It's something which the courts have to figure out.
The Common Law is largely based on common sense, and precedent; and precedent is based on a previous judge's common sense. The three big rules for interpreting laws are the plain meaning rule (use the literal meaning), the "golden rule" (ignore the plain meaning rule if it's obviously stupid), and the mischief rule (figure out what mischief the lawmakers were trying to prevent).
A vaguely written law lets judges use their common sense. While I'm sure there'll be people who disagree with their interpretations, it's either that or black and white statues which simply won't work.
The opinion is not only compelling, it is a brilliant example of law at its best, for it shows how a wonderful legal mind wrestles with a knotty problem that can be summed up with the question, "Should courts apply a badly drafted piece of legislation to lead to the absurd result of criminalizing a whole host of minor misdeeds committed by individuals every day in using the web and their computers?" Judge Kozinski answered this question with a resounding "no."
He did so by applying the "rule of lenity," which requires "penal laws . . . to be construed strictly." (at p. 3872) "The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals." Applying this rule, he held as follows: "Therefore, we hold that 'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use." (emphasis in original)
In other words, though the CFAA is so badly worded that one might potentially give it an absurd and unconstitutional interpretation so as to criminalize things one would think shocking for Congress to have criminalized, the courts have the power to apply well-established rules of statutory construction so as to avoid such an absurdity. Here, the Ninth Circuit did so by construing the CFAA to criminalize violations of access restrictions (i.e., hacking) and not violations of use restrictions (terms of use on website and the like).
Now, there is a split in the federal circuits on this issue and it will either be resolved by an amendment to the statute or it will eventually find its way to the Supreme Court for resolution. But, even granting the split, the most extreme cases in which the CFAA has been applied criminally have involved things such as employees misappropriating trade secrets and other items that go far beyond innocuous things such as violating an employer's computer use policies by surfing the internet on company time.
In other words, no court has gone so far as to adopt anything close to the absurd outcomes suggested in this piece. Even the government in its arguments to Judge Kozinski strongly stated that it would never consider prosecuting such items as crimes. ("The government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations. But we shouldn't have to live at the mercy of the local prosecutor." at p. 3870)
Thus, it is fit and proper to call out the alarmist tone of this piece as being wildly outside the mainstream of where the courts have gone with the CFAA and of where they are likely to go. Is it badly drafted legislation? Yes, it is a mess (if you want to lose your mind, try reading through the text of the statute here: http://www.law.cornell.edu/uscode/text/18/1030). Can it be interpreted to criminalize things that Congress might not have intended to criminalize? Yes, including acts by employees that, though wrongful, may not have been within the contemplation of Congress when it passed the statute. But, that said, is there a risk that the CFAA can be applied to criminalize our daily interaction with computers and the web? No, not unless normal, sound principles of law are wholly disregarded by the courts, which they won't be.
> In other words, no court has gone so far as to adopt anything close to the absurd outcomes suggested in this piece.
Pardon me if I'm missing something here, but doesn't the post exactly say that that has what weev has been charged for?
> This is the issue behind the recent conviction of Andrew Auernheimer for “hacking” AT&T.
weev's actions are a gray area. I don't think that convicting him under the CFAA is absurd. It might be unreasonable or unconstitutional, but there's a valid security issue at stake. To liken weev's actions to viewing a deliberately published-for-public-consumption blog post is a false equivalence: and precisely what makes the piece alarmist.
He's saying that the courts can make distinctions between what Congress intended (to make it illegal to bypass computer security systems without permission), and what the law might technically forbid but what is completely normal and innocuous to do (like browsing someone's website without their explicit permission).
Now, is this something that I, with a bit of idle time, curl, and awk might have done on a lark - yup. Does it scare me that I then might have been found guilty of criminal behavior? Yes. Would I have done something like publish people's personal information on Gawker? Not anymore. Would I let AT&T know personally that they had a security hole? Probably not - likely to be the messenger that would get shot. Is the NET result of this that the bad guys, who keep quiet, and make use of this information for nefarios purposes now have free rein, because nobody will mention it to AT&T? Yes. Is the NET-EFFECT of this law a reduction in security and increased number of security exploitations? Yes. Should the Law be Fixed? Yes.
There are plenty of physical crimes that are easy to commit. For example, opening up someone's unlocked mailbox is technically a federal crime in the US (even if you don't take any thing and just put a leaflet there). Pointing out that a 'bad guy' could easily steal someone's mail by opening their mail box does not constitute security research.
Edit: To be clear, ICCID's are not private, they're printed on the outside of the SIM card.
Also: let's say someone accidentally exposes their password because it's on a post-it in the background of a photo. Clearly this is crappy security; clearly, at that point, information protected by that password is readily available until the password is changed.
The intent of the owner of the data does, in fact, count.
Sort of as if AT&T had chosen really bad, unchangeable default passwords for all their users.
The security on a ICCID is arguably better than any of these things. Unless it's transmitted in the clear? I don't know.
This is all silly.
Realistically, there isn't any legitimate reason for me to be doing this to AT&T's website anyways, other than idle juvenile curiosity (which I'll admit to having an abundance of).
I really don't see how. He used the exact same query that AT&T's own script used. The server did not break, or expose any unexpected behavior - in fact it worked exactly as AT&T designed and intended for it to work. I don't think you can pin any of this on weev when it's clearly AT&T who screwed up and provided all their customers' data for the asking.
Look, I'm not arguing that this should be criminal behavior, and it certainly doesn't merit a jail term. I can't tell you how many times I've done stuff exactly like this - probably in the hundreds of times. Is it hacking when I paid $15 for a 1 week pass and then used curl to download 11 gigabytes and 10+ years of the American Journnal of Clinical Nutrition? Probably. But, to give all due credit to the AJCN, they detected my repeated queries, and redirected me to a page that asked me to wait 30 seconds between each query when doing bulk downloads.
So, there is a case where I wasn't doing the obvious (downloading through the web interface), "hacking", if you will, but the AJCN was clearly fine with it, they just wanted me to ease up a bit, and instructed me how to do so in a friendly way.
If weev is guilty of anything, it was not realizing that posting high-profile individuals names onto gawker was probably a Really Bad Idea (TM).
I think the worst part about this is that it once again sends the message to companies that its OK to be this negligent. The law came in and fixed everything, the system works! Bad things were done, the bad people are in jail, full resolution.
I don't feel safer if every hacker ends up in jail. I feel safer when things are too hard to hack, or at the very least not brain dead easy to hack. This is very similar to Sony's response to repeated hackings of their customer's credit card numbers stored in plaintext: "We'll get those perpetrators!" instead of "oh we'll stop being ridiculously negligent now". The arguments of discouraging future hackers with harsh sentences don't work when 15 year olds are doing this all around the world. I want my information protected so that my money can't be stolen, not to receive retribution for it afterwards. If my bank left all the security boxes wide open for anyone to steal from, sure its still a crime to steal from them but I'd be much more pissed at the bank -- I pay them to keep that stuff safe!
I think we have too often come to accept crime followed by punishment as an ideal scenario, forgetting that sometimes there even exists the possibility of avoiding the initial crime in the first place.
In addition, there's a whole grey area which he highlights and you disregard just by trusting the courts, which doesn't prevent you from getting arrested and sued with all the financial and mental stress those things entail.
If you want better legislation, then you need to make sure the people writing it are well-educated in the areas you care about. This is the original purpose of lobbying.
The article's claim about the chilling effect was, of course, highly specific to the author's personal area of expertise. This is based on something I can't comment on: that the details of weev's case are generalizable to all cybersecurity researchers. I don't know the details of weev's case; do you think it's generalizable? My quick Google yielded me a Wired article that ended with weev laughing about how it might be illegal and the likely possibility it would damage a legitimate business's stock price. Is that a thing all cybersecurity researchers do?
I mean, I agree that the law sucks. That's fairly self-evident here. But what, exactly, do you guys want done about it? "Oh no, something bad happened 26 years ago and I just realized it because of something that happened recently" is weak. Talk to the EFF. Talk to your Congresscritters. Ask other people to do so. Sound and fury signify nothing. If you feel so terribly chilled, explain it to the politicians and get some lawyers working on the problem. I'd suggest civil disobedience, but you probably don't have the courage to get arrested if you're busy being chilled.
Yes, it sucks to be a case study. Cancer patients go through it all the time: the result? LESS CANCER. That's what the courts are also for. You go up there and say, "My situation shows how this law is stupid." You take a beating as all the relevant details are dragged out and scrutinized so that they can be sure. And hopefully, they agree with you and set precedent that the law is, in fact, stupid and fewer people have to deal with it in the future.
I'm not personally scared, but I understand what the problems with this kind of laws (bad, vague ones) are. The problems almost disappear when everything works as expected.
The real problem which you ignore is that laws of this sort give the authorities a big loophole for abuse (which probably is not what has happened to weev, but that's not what I'm discussing.) If you think that's not a worry, I envy your worldview.
That said, I fully agree that more formal action should be taken, contacting EFF and congressmen and whatnot. But writing about it can motivate people who were not in the know to act, it's not just empty "sound and fury."
I recommend this book that's somewhat related to this problem: http://www.amazon.com/Nothing-Hide-Tradeoff-between-Security...
Let me know how that works out if you get dragged into a patent lawsuit in East Texas. :-)
http://www.technologyreview.com/view/507661/jail-looms-for-m...
Rather than having knowable, deterministic laws we are all at the mercy of the lawyers and judges we happen to get that "day".
It's still probably the least bad system.
In other words, by the time we have consistent laws (in the mathematical sense), "Precrime" could already exist.
I guess that one positive impact of your idea would be moving mathematicians into the almost celebrity status of lawyers. They'd be fun to watch when interviewed too.
Just to be clear, I'm not proposing to teach kids to be lawyers. Being a lawyer would be like having a PhD in mathematics. But we do teach kids basic calculus, algebra and stuff like that, so why not "basic legal stuff" (whatever it's called)?
So, you're saying that's more dystopian than the thought of secret laws for 'national security', on top of a body of laws that already spans over 200,000 pages, whereby even with non-poorly-written laws, you're still likely breaking one every single day?
Because that's what we have now. So if those are my options, then shit yes, I will take mathematical certainty of the legality of my actions any day.
I'd argue that you really can't say anything with such certainty. If true friendly AI is ever possible (and that is up in the air), such a system would be a better one. Obviously, this is all speculation.
People are emotional and subjective by their very nature. It is not possible to be objective - one can only tend towards objectivity by applying constant introspection and reassessing one's world view. Nonetheless, an Ape is not capable of being a Vulcan. It is, frankly, a travesty that people's fates are being decided by other people's stomachs.
I don't expect laws to be formally defined, I just expect them to be few, sensible, and transparent. Reasonable people shouldn't have a hard time inferring whether a specific activity is illegal.
Right now, our body of law is vast, complex, opaque and uncertain. Because of this, as I said above, most people likely break the law every single day. This gives rise to tyranny by selective enforcement (http://en.wikipedia.org/wiki/Selective_enforcement), burdened economies and reduced investments due to untested and protectionist regulatory regimes, and an overall reduction in freedom and civil liberties.
By contrast, yes, the knowability and certitude afforded by a hypothetical-but-impossible legal system based on mathematics would be preferable. This is really not a complicated idea.
“Corruptissima republica plurimae leges. [The more numerous the laws, the more corrupt the state.]” — Tacitus, the Annals ca. AD 69
So's our society. Roman law was quite a bit simpler, but justice in ancient Rome was extremely unpredictable.
By contrast, yes, the knowability and certitude afforded by a hypothetical-but-impossible legal system based on mathematics would be preferable. This is really not a complicated idea.
As HL Mencken said, 'For every complex problem there is an answer that is clear, simple, and wrong.' Godel's theorem tells us that in any sufficiently expressive formal system (such as mathematics), you can have consistency or completeness, but not both. A hypothetical mathematically-precise legal system would thus yield cases that either couldn't be judged because there was no prescription for such a situation (a div zero problem, if you will), or else would yield contradictory results on the same facts at different times.
Why? Because you can't formalize away the fact that humans can't think of everything ahead of time. We make laws about your rights regarding messages you write on paper, then telegraphs and telephones and email come along. Either you try to interpret the law to cover them, or you revise your definitions of "messages" to include or exclude them.
In a "specify everything" system, everything that the courts currently interpret would have to be sent back to the legislature. The effect would depend on what you do with gray areas in court.
Option 1 would be "if a case is ambiguous, put it on hold until the legislature clarifies the law." That would clog up the courts and effectively merge the court and the legislature.
Option 2 would be "decide cases based strictly on existing law and let the legislature revise things for the next go round." That would create a lot of absurd outcomes, where a small loophole, with no ability to apply "common sense", means innocent people are convicted or guilty people are freed.
Like a group of elected officials who's only job is to close these loopholes without massive fanfare and a simple vote. A process that is incredibly fast and decisive in order to get double digits done per day.
Because, y'know, having officials crank through tons of difficult decisions per day is such a supremely effective[1] and corruption-free way to create a social process. It's worked so very well for the patent system, why not for law and jursiprudence?
[1] cf. "decision fatigue": https://www.nytimes.com/2011/08/21/magazine/do-you-suffer-fr...
Many things involve context (it is illegal to murder someone, but a killing in the context of self-defense is often not murder). Even where context is not explicitly recognized by the law, we want judgment and discretion to exist (speeding because you are drag racing is very different than speeding to a hospital with a bleeding passenger.)
Legal uncertainty is not something that any company would prefer to endure.
Having such a law on the books means that a boss, computer service provider, etc. could show a laymen this law, even let them look up the law themselves and then threaten to have someone prosecuted for things which may be proper (or at least not illegal). The person being threatened would be able to verify that the law was real and without having a lawyer to explain the full situation may feel they are in a very bad bargaining position for whatever demands the other side makes.
As the court said, "We shouldn't have to live at the mercy of the local prosecutor" but neither should people without lawyers have to live at the mercy of those who could use such a law to threaten prosecution for negotiating purposes.
When they have a law that seems on first reading to say what the employer says it does, then the employer can show it to the employee to gain credence and the law itself will confuse any employee who does a little research without going further.
More than that, the employer may not realize they are misrepresenting it when the law seems to say something. They may be misusing the law in good faith. Something that will happen less often with clearly written laws that are not heavily interpreted in the common law.
Also, this is placed on a well known public blog, also submitted to search engines and other public catalogues, means that nobody in his sane mind would consider this a private place not intended for public visitors.
It is also a common practice, accepted by vast majority of users, that sites run Javascript in user's browser, and that some data - such as cookies, display resolution, etc. - is available to these scripts. If the site took some liberties outside of accepted practices common for Internet browsing - such as using a hole in the browser to read documents on my hard disk that I did not specifically upload to the site - then yes, the site author would be liable. But to scare me into believing what author intends me to believe, he better would find any court insane enough to interpret it this way.
Ha, ha, ha. My anti-JavaScript firewall has steadfastly deflected this individual's malicious attacks!