over-18s are adults, and so it should be easier to stick criminal charges on them.
Only problem is that victims can't press criminal charges, only the state can. So these laws are purely tools of the corrupt state actors and their cronies.
How can a TOS tell someone (a minor) that the person is forbidden to accept an agreement, while simultaneously holding that person subject to that agreement?
It's a paradox in the space-time continuum.
Has any court tested the theory that a minor can be held in violation of a TOS? Contracts entered into by minors are void on their face.
This seems a lot like having a "NO Trespassing" sign in the bathroom of a coffee shop, and then prosecutors charging people who walk in the front door.
Good point. If you put a final clause on your ToS that said "Reading these terms of service is a criminal offence" could you make criminals out of everyone who reads your ToS? :-)
It wouldn't have to say "Reading these terms of service is a criminal offense". It would merely have to say "Reading these terms of service is a violation of these terms of service".
You cannot be held legally liable for reading a contract if it is presented to you. If ToS is meant to be a contract, then no. However, minors cannot consent to a contract, so it would fall on their parents to enforce the contract on the minor.
However, if the ToS is meant to be law, then yes. But courts are known to throw out ToS sections that are written in bad faith. Anything like weev and Aaron are far edge cases with big money and names behind them. Hearst and the DoJ would be highly unlikely to pursue even civil action for breaking the ToS.
It's about more than having holding someone to an agreement they're legally forbidden to accept. It's holding someone to an agreement they don't have facility to read without breaching the agreement. Their terms of service are on the website which the minor cannot read without accessing the website... by which time they are guilty of breach of the terms of service. I don't think I'll never understand the idiocy of American law.
You could also say that the agreement is void w/r/t a minor, because they don't have capacity to contract, via Statute of Frauds. Of course there are plenty of times when they can contract, but TOS in general seem completely obtuse and not actually conducive of anything worthwhile.
"You hadn't exactly gone out of your way to call attention to them had you? I mean like actually telling anyone or anything.' 'But the plans were on display...' 'On display? I eventually had to go down to the cellar to find them.' 'That's the display department.' 'With a torch.' 'Ah, well the lights had probably gone.' 'So had the stairs.' 'But look, you found the notice didn't you?' 'Yes,' said Arthur, 'yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of The Leopard".'" -- Douglas Adams.
Contracts entered into by minors are not void, they are voidable, and only by the minor before the age of majority or a reasonable time thereafter. Minors enter into contracts every day -- millions of them work, for one, and child actors' contracts are in their name, not their parents'.
The law seems to be fundamentally broken when it comes to minors. This is basically saying "we don't think you are mature enough to look at this content, but if you do look at it we will consider you mature enough to take criminal responsibility.", which is absolute bull. Surely we should either say that they are responsible or that they are not.
Perhaps it's time for a new SOPA blackout style campaign based on changing terms of service. If a large number of popular sites modified their terms of service so that it became illegal to view those sites for anyone in public office, maybe the absurdity of the whole thing would become evident to the people behind this.
I don't think that government employees hold any special privilege in terms of private contracts, but I don't know. At the very least, it would be interesting to find out.
I know that recently there have been some gun shops that have been refusing to serve government employees, so there is at least a small amount of precedent.
Why isn't this being used to aggressively prosecute spammers?
Sending unsolicited bulk email has been against the ToS of many service providers for very many years. There's real financial harm done. And spam is disliked by very many people.
Because courts have ruled that it's not actually illegal to violate terms of service.
Note how the headline says it "could" have been illegal--if the Justice Dept. had decided to prosecute a teenager on these grounds (never heard of that happening), and if a federal judge had handed down a conviction on those grounds (the 9th Circuit actually ruled the opposite).
As explained in the article the Justice Department uses fierce interpretation of the law.
While the law stands in its current unclear state people are still at risk of prosecution. Conviction might be improbable, but it's still an unpleasant situation to be in.
Note that the Nosal case was a person who was permitted to access to computer, but who then misused information got from it, and not someone who was prevented from accessing the computer.
With the right case, I don't see how this would withstand Supreme Court review. The Ninth Circuit doesn't seem to like it (Drew/Duval). My guess is the the SCOTUS wouldn't approve of private parties drafting their own criminal laws.
Do you want to run foul on multiple felonies (1 per day per ToS violation) along with dozens of other "felonies" that you undoubtedly commit without knowledge.....
Just so you can petition the Supreme Court to take your case, knowing that they can just sit back instead and do nothing?
Wasn't there this Aaron kid that got hit by that very tactic? Hmm. He didn't take the "decades in prison" so well, did he?
> He didn't take the "decades in prison" so well, did he?
So the example you take from what happened to Aaron Swartz is to apply yet more propaganda from the other side, instead of facts?
It's not even something you have to mislead about; 2-3 years in prison as an upper-end estimate is bad enough to make your point without being evasive, and even the ~6 months upper limit that the prosecution had offered in a plea bargain is said to be serious enough to make your point.
You could even mention that Aaron would have been a "felon" should he have been convicted or plea guilty on those charges and you'd have been accurate.
And yet you choose the only outcome that wasn't actually possible to push your point forward...
I wish someone would take the HTTP codes literally:
"200 OK" = You just gave me irrevocable permission.
Or you know, if anyone sues you for copyright infringement, you should sue them back for hacking, since you obviously put the following in your terms of service "you may not access this site if you sue me in the future".
I don't mean to be disparaging, but HTTP status codes have been well-documented. The only issue is that they are used poorly/incorrectly so often.
If you can't use HTTP status codes properly, then you simply aren't in a position to subjectively characterize someone's request as impermissible/unauthorized. This is especially the case when the server's choice to grant access conflicts with your intentions.
What would you do in real life if you found a vending machine that was somehow locked into giving out free drinks if you pushed a button, despite listing a price for each soda?
For all I know it's a stunt by the vending machine company to make people addicted. Free stuff for 1 week, then people have to start paying.
Actually Telenor in Norway recently sold a few hundred tablets for 1,- kr a piece 16 cents US, and this without a contract. First they said, no, no, no, it was a mistake in our computer system, but they ended up having to sell them anyway because they would have such a hard time proving that every one of the customers knew well and right that there must be a mistake.
Anyway special case scenarios would never be covered by your server saying 200 OK.
However, day to day scenarios would. If your server gives people access to a file, and the user has no reason to believe the server is making a mistake. Then the 200 OK holds.
It's like walking into an unlocked building. Many buildings are supposed to be unlocked and people walk in and out as they please. If you put up a big sign saying public library, then you can't go to the police and say someone broke in when you made no attempt to hinder them, then 200 OK holds.
The server is giving the file away. Yes, I asked for it. But unless it's a very limited special case where I seriously went out of my way to trick the server (like a scam artist would in real life), then you can't put a little note under the doormat saying thief.
> Actually Telenor in Norway recently sold a few hundred tablets for 1,- kr a piece 16 cents US, and this without a contract. First they said, no, no, no, it was a mistake in our computer system, but they ended up having to sell them anyway because they would have such a hard time proving that every one of the customers knew well and right that there must be a mistake.
In this example the customers paid the listed price, did they not? It was for exactly this argument that I spelled out "price clearly listed" in my original argument.
I also chose a vending machine knowing full well that whatever someone says will be a personal choice. No legal system would waste its time on someone "stealing" $1.25 from a vending machine that gave you the soda.
It's a moral question, not a legal one. If someone accidentally sets themselves up to be taken advantage of, would you take advantage of them if no one is watching? All of these hacktivists like to talk about how evil and immoral the government, the business, etc. are. So I ask what would they do in a situation with nothing on the line but their integrity.
If they would take the soda then who are they to ride in on their high horse?
If they would not take the soda, then why is it still OK to tromp through a website knowing that you're not supposed to be there, just because the sysadmin is an idiot?
I'm not even saying there's one and only one right answer, but if there's one thing I hate it's hypocrisy, and I think this is true of most people. I don't think that people mean to be hypocritical either. But if we don't critically examine why we think something is right or wrong then do we really have a sense of morality or are we simply doing what we feel is right?
But you don't know you're not supposed to be there, you must have at least visited their site first, clicked their terms of service, before you can find out.
Terms of service are typically very long documents and are time consuming to read. Do you read terms of service of every site you go to, to make sure you are permitted to be on that site?
This is an interesting analogy. Let's see where it goes. So we've got this vending machine. Suppose the door is broken; it won't close. As a result, if you insert money, the machine credits you with having paid but the money falls out onto the floor instead of being held securely inside the machine.
So, can we justify having a law against "unauthorized access to a vending machine"? Let's see what we get based on what someone does.
Scenario A: Defendant takes a soda without paying for it. Defendant is going to argue that this isn't unauthorized access; maybe the prosecutor can argue that it is, but that doesn't even matter. What you're doing is stealing. That's what you should be prosecuted for. There is no call for a law against "unauthorized access" in order to prosecute in this case, what is needed is a law against taking what isn't yours. This scenario occurs in any case for which "unauthorized access" occurs in furtherance of anything which is actually wrong -- the wrong thing should already be illegal and have appropriate penalties for that conduct so there is no benefit in such cases of a separate prohibition on unauthorized access.
Scenario B: You want a soda but the machine won't take your money because the door won't close. So you open up the machine, put a $5 bill in the cash store and take your change and your soda. Here you aren't stealing anything; you've paid the asking price. Great, we've discovered a scenario where the prohibition on unauthorized access actually does something instead of being totally redundant -- you're not authorized to open up the vending machine, so even though you didn't steal anything or do anything to harm anyone, you still accessed it without authorization. So is this the scenario where we want to impose criminal liability? I don't think so. A law prohibiting that conduct is rubbish. You want laws to prohibit doing bad things, not to prohibit doing good things that are unanticipated.
Ignoring the moral issue and treating it as a legal issue - why not?
If they wanted to give me a $100 bill, it is fully within their rights to do so. If I really entered $50, then I certainly did not authorize my bank to debit my account for $100.
They might have some legal grounds depending on the local legislation to request the $50 back due to their fault/mistake, but I can dispute that and the result is far from certain.
If we're debating what the 'taker' should do, then the moral issue applies.
But if we're debating if the 'taker' should be punished (as in the original post), then the legal question applies. It may be wrong to abuse the opportunity, depending on the circumstances, but it would be far more wrong to put the person in jail for doing something the vendor implicitly seemed to allow.
Under UK law, if you receive money in error, you have to have a good faith belief that the money is actually yours. To claim that you thought that the bank was deliberately choosing to give you more money than you asked for (rather than it simply being an error) stretches credulity a little too much.
If in real life that was the typical behavior of a vending machine, I doubt I would notice.
There probably needs to be a way to address the situation where someone knows the data they are accessing ought to be restricted, but your analogy throws away an awful lot of the context that is important to that discussion.
> There probably needs to be a way to address the situation where someone knows the data they are accessing ought to be restricted, but your analogy throws away an awful lot of the context that is important to that discussion.
Perhaps, but IMO it's really the core moral question.
But you are right that context is important, which is why these debates go so often into what "reasonable" persons would do.
So with weev, for instance, I think a "reasonable" person could probably say that they're not really supposed to have access to so much personal data, and that they probably shouldn't have gone way the hell out of their way to get 114,000 email addresses when 4 orders of magnitude less would have sufficed to prove the vulnerability.
Now, do I think that email addresses of any kind warrant 41 months in prison? Absolutely not! But I also don't see how it's a stretch to consider that weev stepped beyond the bounds of reasonable behavior.
Whole societies often end up with unpleasant moral opinions though (I don't mean to suggest that this sets aside the value of acting morally, I mean to suggest that moral intuition is not necessarily a good guide for setting the rules for a society).
A good trick would be massive civil penalties for disclosing personal data to third parties. That leaves us uncomfortable with weev scraping large amounts of data but able to punish him for any damage he causes by sharing it, and it makes some potential for innocent little AT&T to share the stick.
Edit: better to say that it leaves us able to punish weev for causing damage. There is easily potential for causing more damage than could be restored by a single person.
The problem with HTTP status codes is people usually use one of the few they know, instead of looking at the full list and choosing the most suitable from the options. I think a lot of people forget that there is 301 as well as 300.
HTTP statuses are not a semantic description. `200 OK` means only that the transfer of a document can take place -- the legality of the request is a different matter. This would be like holding DOT engineers responsible for making it possible to drive drunk, since the roads have no features to prevent offenders from entering the highway.
A better one might be having a section of road connected to public roads that it is illegal to drive on.
This is still hugely problematic, because it invites discussion of the intent of the operator and the intent of the driver and ignores the part where it is not particularly difficult to put up an effective barrier.
>`200 OK` means only that the transfer of a document can take place -- the legality of the request is a different matter. This would be like holding DOT engineers responsible for making it possible to drive drunk, since the roads have no features to prevent offenders from entering the highway.
You're confusing violating a law with violating the law. If getting "200 OK" means you were authorized and can't be convicted of unauthorized access to a computer, but you proceed to purloin credit card numbers and make fraudulent charges to them, you're still going to jail for credit card fraud.
The real issue is that "unauthorized access" is hopelessly ambiguous if you don't use the likes of protocol status codes, and totally redundant if you do.
If you get "200 OK" then you haven't made unauthorized access because you were authorized. If you get "403 FORBIDDEN" then you haven't made unauthorized access because you were denied access. That interpretation makes "unauthorized access" impossible to achieve, because if access is denied then there is no access to be unauthorized and if access is granted then it is authorized access.
The trouble is that the alternative interpretation is even worse: If you can't rely on what the machine tells you, how do you know when you're authorized? Some cases are really obvious (e.g. you are not authorized to places orders against just any random customer's credit card), but those situations are pretty much always separately illegal regardless of unauthorized access. What that leaves is the hopelessly ambiguous cases, which is what allows prosecutors to argue that violating terms of service or downloading too many journal articles is a federal felony. I'm still not convinced that those cases need to be illegal at all -- and if you can articulate a specific one that ought to be then by all means prohibit it explicitly and stop with the blanket prohibitions on whatever "unauthorized access" is supposed to mean if it doesn't mean what the machine allows you to do.
This law seems analogous to allowing arbitrary code execution; a public website can write it's own law for anyone visiting the site, and hit them with a felony.
"But the real problem is the CFAA, which allows prosecutors to use these silly terms to manufacture computer crimes."
This is all ridiculous. While I understand the point of the post, and it makes for great mainstream media play, it's total hyperbole. The fact that prosecutors can do something and what they would reasonably do are two different things. To wit exceeding the speed limit by 1mph could get you a ticket but almost never gets you a speeding ticket.
I think the part people are worried about is the "almost" in "almost never gets you a speeding ticket."
People will probably almost never be prosecuted for this kind of thing, unless they're looking for an excuse to prosecute someone. I take little comfort in the idea that I'm relying on prosecutors and judges to be reasonable, and I think it's worth taking action when laws like this make arbitrary enforcement possible.
Yes, but heres the thing, on a bad day, if the police decide to single you out, you can get a traffic ticket for being 1mph over the speed limit.
Usually it doesn't make the news because the consequences are something between having to stand up to the police in court and a 300 dollar fine. Nobody cares if you get a speeding ticket over nothing.
The way that the CFAA is written, you can levy felony charges against basically any internet user with impunity. So if the Department of Justice decides to single you out, they can hit you with crazy multi-decade felony charges for the lulz.
And then you end up on the front page of the New York times for killing yourself.
A judge would throw this out (this being either the 1mph over ticket or the 17-year-old reading Seventeen), and the prosecutor who brought it forward would end his career.
Yes, the literal example of a 17 year old reading seventeen is highly implausible. I think their fear is that by using a more complex example they have to try and argue that the complex example did the right thing in the first place. (Like say, Aaron Schwartz) This way they get to use a simple reductio ad absurdum argument that pretty much anybody can understand.
Weather this is an insult to the intelligence of their readers, or carefully calculated propaganda probably depends on who you ask.
But either way, Aaron is actually a bad example as what he was charged with was still wrong to do (even if you agree with the end result he was trying to bring about). Not "felony" wrong perhaps, but even weev would have been a better example for what you're talking about.
On the other hand, "convicted of" is something that matters to the government, not to the rest of us. I'm not going to pretend that someone didn't do something just because a jury never returned a conviction, if there's enough evidence to support the claim in question. Likewise it's possible for a jury to convict people of crimes they've never committed; I won't deign to consider someone "guilty" of something they obviously didn't do just because a jury and legal process said otherwise. I'll leave the splitting of fine hairs to the legal process.
At no time did I suggest a court's ruling was infallible, however drawing conclusions based merely on the fact that someone was accused of something at one point in time is not rational.
What is it that you think he did that was wrong? It recently came out that his project was not to dump it in a torrent like everyone assumed, but to do an analysis on who was funding research. If that's actually true, no laws, in spirit or in letter, were actually broken.
> If that's actually true, no laws, in spirit or in letter, were actually broken.
If you think that, it's because you have latched onto the idea that Aaron was being prosecuted only for thoughtcrime, which is incorrect.
To put it quite simply, Aaron decided to gain access to networks he was quite clearly ejected from. Aaron had access to JSTOR from his own Harvard campus account, so Aaron's own actions (going so far out of his way to do so from MIT's net) indicate he thought he was doing something at least a little bit wrong.
I don't think that evading network bans by itself is necessarily a horrible offense, but I certainly don't think it's completely OK and as far as I know the law doesn't either. In fact the CFAA could apply based merely on the cost of the MIT techs' time it took to track him down, even if he never intended to copy documents.
Where intent did play a role is that it made the existing charges he could have received just for his actions more severe. But he could have wanted to donate to charity and his acts alone would have been illegal.
And, I also think they would have been morally wrong, just as I wouldn't trespass on someone's property if they asked me to leave, no matter how innocuous my purposes are otherwise.
Don't just take my word for it, even Dr. Lessig agreed with that much (that Aaron's actions could be construed as wrong): "...if what the government alleged was true — and I say “if” because I am not revealing what Aaron said to me then — then what he did was wrong. And if not legally wrong, then at least morally wrong." http://lessig.tumblr.com/post/40347463044/prosecutor-as-bull...
Uh, in case you can't read it right now, here's what you predicted:
A judge would throw this out...and the prosecutor who brought it forward would end his career.
Nothing about it never happening, and no reasons besides. So, I asked, "when has a judge thrown it out and the prosecutor's career ended?" To which you replied to the effect of, "Duh! I just told you!"
A judge and/or prosecutor may choose to not apply & enforce applicable law, but the law (however stupid) is there and is applicable. Unenforced and unenforceable laws are nonetheless laws, which have an odd habit of being enforced when a judge or prosecutor find it in their interests to do so.
You can only be hit with a misdemeanor for violating the CFAA. It upgrades to felony status only when in furtherance of another crime.
A lot of this could be solved by getting rid of the misdemeanor penalty, and making it a felony only in conjunction with the commission of another felony.
YUP and you get run off the road half the time if you're only driving the speed limit. And risk pissing off the cops when they aren't ticketing for going too slow.
Selectively enforced laws are terrible. They are tools for enforcers to discriminate. Naturally most people aren't bothered. Most people do not attract the eye of Sauron.
Every time I think about opening up my wallet and donating to the EFF for their various successful efforts, they turn around and post something stupid like this.
They should stop letting 1st year law students write these ridiculous rants. Courts have almost all rejected attempts to criminalize website TOS violations. Indeed, courts have generally held that TOS is binding only against the company, since the company by the terms of the TOS is free to change the terms at will without prior notification to visitors.
The bulk of the Aaaron Swartz case was around distribution of copyrighted material which he was allowed access to but not distribution of. This is not merely a ToS issue as there are laws against distribution of copyrighted material.
Not a single violation in Aaron Swartz's indictment [1] is about copyright law. In fact, they nearly all refer to US Code 1030, which is the CFAA you are claiming the Aaron Swartz case was not about.
In fact, you are incorrect that "he was allowed access" in that the wire fraud counts in the indictment (page 10) is based on the idea that he should not have been given access to JSTOR in the first place. (I'm not claiming that Aaron's access to JSTOR was illegal, but rather that the case against Aaron argued his access was not allowed, while the parent argues that Aaron's case was based on the idea that he was allowed access, but was not permitted to distribute)
Your description of what the Aaron Swartz case is about is completely incongruous with the charges filed by the prosecutor.
"Kicked off" can mean many things. I'd be less sympathetic if a human being actually delivered an English language notice to Aaron, but AIUI they just stopped routing his packets. This could easily be misinterpreted as tripping an automated throttling system, in which case the message would be, "Slow down, try again," not, "Stop!"
> This could easily be misinterpreted as tripping an automated throttling system
He walked into the server closet covering his face with a bicycle helmet. Whatever improvements MIT might be able to make to the message of "you're not welcome on this net", Aaron definitely received it loud and clear.
Everyone has access to the MIT network. There is an open guest wifi network, with a captive portal asking you to provide a name/email to register. He put a fake name (Gary Host) and a throwaway mailinator address (and was charged with wire fraud for doing so).
JSTOR provides unlimited access to MIT and many other schools. Anyone on the MIT network had access to JSTOR. He was not on a JSTOR network.
When JSTOR saw that one user was requesting a lot of files, they assumed a bad motive, and banned the IP address. After he got a new IP address, JSTOR contacted MIT about it, and they banned the MAC address from their wifi network.
> Everyone has access to the MIT network. There is an open guest wifi network, with a captive portal asking you to provide a name/email to register. He put a fake name (Gary Host) and a throwaway mailinator address (and was charged with wire fraud for doing so).
That's just it though, that's not correct. What you might have meant was:
Everyone starts off with access to the MIT network. It is not MIT's obligation to continue to provide network services to anyone that they have a previous contract for. And even for those with contracts, it would almost certainly include boilerplate to the effect that services will be terminated for abuse of the network.
> When JSTOR saw that one user was requesting a lot of files, they assumed a bad motive, and banned the IP address.
> After he got a new IP address, JSTOR contacted MIT about it, and they banned the MAC address from their wifi network.
So you yourself admit: aaronsw started off with access to both JSTOR and MIT networks, and was explicitly kicked off of them both.
What steps did Aaron take to ensure that he was welcome on the networks again when he later tried to connect?
He illegally accessed a network to download material that wasn't his. If this was all a big misunderstanding, why did he set it up the clandestine operation in a server closet? His intent was to distribute the material. The CFAA was the way they went after him. It's pretty simple.
The OP made it seem like he broke some ToS accidentally and then was somehow going to face jail time. This is certainly not the case. He deliberately accessed a network he had been banned from with clear criminal intent.
Yeah, it's pretty obvious here that the problem lies with Hearst Media having ridiculously stupid terms and conditions, as much as the EFF would like to chastise the DoJ for retaining (but not exercising) the right to cite them in a prosecution.
It's "reasoning" on a par with citing lawyer-spam emails as evidence of the need for tort reform.
[To clarify, since I seem to be attracting downvotes, I'm not saying there isn't a potential problem with lack of clarity over whether any ToCs can be used as a basis for criminal prosecution (or for that matter with frivolous litigation). I'm saying that highlighting an absurd ToC that nobody would be remotely interested in enforcing is a poor argument against the enforceability of ToCs per se (similarly: legal threats so spurious they're actually embarrassing don't actually say very much about civil law). Worse still, it's actually counter-productive since the lack of any interest in prosecuting absurd ToCs could be construed by those in favour of criminal penalties for ToC violation as showing the DoJ's discretion works.]
Or, more specifically: "Thankfully, the Ninth and Fourth Circuits have rejected the government’s aggressive interpretation of the CFAA (with amicus help from EFF), but the Justice Department has shown no signs that it has given up on aggressive interpretations."
TOS violations can be analogized into one of several types of real-world crimes -- trespassing, vandalism, or theft. Generally all of these crimes require the victim to press charges.
Except they occur through that lovely Internet, so the feds involve themselves and who knows under what circumstances they would disengage?
Certainly Hearst did not intend to keep teen girls away from Seventeen -- who else would read it?
The option to press charges is probably all that's needed.
It's a good thing nobody actually reads seventeen.com... except advertisers who are trying to figure out what people much younger than them are supposed to like. Which of course is all wrong because it's created by older people.
Which of course is all wrong because it's created by older people.
I wouldn't be so sure of that. The demographic for many magazines are people aspiring to be something they're not and actively seeking to know what they should like.
e.g. The demographic for Seventeen is 10 to 16 year old girls that want to feel older and more mature; the demographic for GQ is mostly men that can't afford most of the things on display in GQ.
The law should be changed, or overturned as unconstitutional, but that is a higly uncertain and lengthy process.
In the meantime, could we start a grassroots campaign to get companies to explicitly state at the top of their ToS that a violation of the ToS may be arbitrated only and does not constitute a 'unauthorized access' under CFAA?
Obviously the EFF would have to draft the exact clause, so that actual destructive hacking can still be prosecuted.
This sounds tricky, but if the EFF can't write something we could put in the ToS to protect users from the Feds trying to extort cooperation from users by abusing CFAA (a la Aaron) then how can we expect legislators to get it right?
Specifically some things the ToS should define is how "damages" will be defined, proper ways to disclose vulnerabilities, things which are NOT considered subverting access control, and a lower standard for trespass of online chattel which required actual damage or dissemination.
105 comments
[ 15.1 ms ] story [ 72.2 ms ] threadI wonder if anyone reads T&Cs, though. Perhaps I should prohibit over-18s from using my websites.
Only problem is that victims can't press criminal charges, only the state can. So these laws are purely tools of the corrupt state actors and their cronies.
It's a paradox in the space-time continuum.
Has any court tested the theory that a minor can be held in violation of a TOS? Contracts entered into by minors are void on their face.
This seems a lot like having a "NO Trespassing" sign in the bathroom of a coffee shop, and then prosecutors charging people who walk in the front door.
You can put that "Reading this sentence makes the sky yellow" in your ToS if you want as well. Doesn't make it true.
However, if the ToS is meant to be law, then yes. But courts are known to throw out ToS sections that are written in bad faith. Anything like weev and Aaron are far edge cases with big money and names behind them. Hearst and the DoJ would be highly unlikely to pursue even civil action for breaking the ToS.
It amounts to:
* If over 18: Select "Over 18".
* If not over 18: Get your parental guardian, who is over 18, to select "Not 18" on your behalf.
Would a ToS hold up in court that specifically denied access to the company's service by government employees?
If a company had that in their ToS, and they discovered that a government employee had used their service, could they sue for damages?
Are businesses in the US obligated to provide service to government employees?
I know that recently there have been some gun shops that have been refusing to serve government employees, so there is at least a small amount of precedent.
Sending unsolicited bulk email has been against the ToS of many service providers for very many years. There's real financial harm done. And spam is disliked by very many people.
Next question?
Note how the headline says it "could" have been illegal--if the Justice Dept. had decided to prosecute a teenager on these grounds (never heard of that happening), and if a federal judge had handed down a conviction on those grounds (the 9th Circuit actually ruled the opposite).
While the law stands in its current unclear state people are still at risk of prosecution. Conviction might be improbable, but it's still an unpleasant situation to be in.
Courts show that judges are not unanimous about this. (https://www.eff.org/cases/u-s-v-nosal)
Note that the Nosal case was a person who was permitted to access to computer, but who then misused information got from it, and not someone who was prevented from accessing the computer.
(https://www.eff.org/deeplinks/2013/01/rebooting-computer-cri...)
Just so you can petition the Supreme Court to take your case, knowing that they can just sit back instead and do nothing?
Wasn't there this Aaron kid that got hit by that very tactic? Hmm. He didn't take the "decades in prison" so well, did he?
So the example you take from what happened to Aaron Swartz is to apply yet more propaganda from the other side, instead of facts?
It's not even something you have to mislead about; 2-3 years in prison as an upper-end estimate is bad enough to make your point without being evasive, and even the ~6 months upper limit that the prosecution had offered in a plea bargain is said to be serious enough to make your point.
You could even mention that Aaron would have been a "felon" should he have been convicted or plea guilty on those charges and you'd have been accurate.
And yet you choose the only outcome that wasn't actually possible to push your point forward...
"200 OK" = You just gave me irrevocable permission.
Or you know, if anyone sues you for copyright infringement, you should sue them back for hacking, since you obviously put the following in your terms of service "you may not access this site if you sue me in the future".
This isn't a hugely well thought through idea.
If you can't use HTTP status codes properly, then you simply aren't in a position to subjectively characterize someone's request as impermissible/unauthorized. This is especially the case when the server's choice to grant access conflicts with your intentions.
Actually Telenor in Norway recently sold a few hundred tablets for 1,- kr a piece 16 cents US, and this without a contract. First they said, no, no, no, it was a mistake in our computer system, but they ended up having to sell them anyway because they would have such a hard time proving that every one of the customers knew well and right that there must be a mistake.
Anyway special case scenarios would never be covered by your server saying 200 OK.
However, day to day scenarios would. If your server gives people access to a file, and the user has no reason to believe the server is making a mistake. Then the 200 OK holds.
It's like walking into an unlocked building. Many buildings are supposed to be unlocked and people walk in and out as they please. If you put up a big sign saying public library, then you can't go to the police and say someone broke in when you made no attempt to hinder them, then 200 OK holds.
The server is giving the file away. Yes, I asked for it. But unless it's a very limited special case where I seriously went out of my way to trick the server (like a scam artist would in real life), then you can't put a little note under the doormat saying thief.
In this example the customers paid the listed price, did they not? It was for exactly this argument that I spelled out "price clearly listed" in my original argument.
I also chose a vending machine knowing full well that whatever someone says will be a personal choice. No legal system would waste its time on someone "stealing" $1.25 from a vending machine that gave you the soda.
It's a moral question, not a legal one. If someone accidentally sets themselves up to be taken advantage of, would you take advantage of them if no one is watching? All of these hacktivists like to talk about how evil and immoral the government, the business, etc. are. So I ask what would they do in a situation with nothing on the line but their integrity.
If they would take the soda then who are they to ride in on their high horse?
If they would not take the soda, then why is it still OK to tromp through a website knowing that you're not supposed to be there, just because the sysadmin is an idiot?
I'm not even saying there's one and only one right answer, but if there's one thing I hate it's hypocrisy, and I think this is true of most people. I don't think that people mean to be hypocritical either. But if we don't critically examine why we think something is right or wrong then do we really have a sense of morality or are we simply doing what we feel is right?
Terms of service are typically very long documents and are time consuming to read. Do you read terms of service of every site you go to, to make sure you are permitted to be on that site?
So, can we justify having a law against "unauthorized access to a vending machine"? Let's see what we get based on what someone does.
Scenario A: Defendant takes a soda without paying for it. Defendant is going to argue that this isn't unauthorized access; maybe the prosecutor can argue that it is, but that doesn't even matter. What you're doing is stealing. That's what you should be prosecuted for. There is no call for a law against "unauthorized access" in order to prosecute in this case, what is needed is a law against taking what isn't yours. This scenario occurs in any case for which "unauthorized access" occurs in furtherance of anything which is actually wrong -- the wrong thing should already be illegal and have appropriate penalties for that conduct so there is no benefit in such cases of a separate prohibition on unauthorized access.
Scenario B: You want a soda but the machine won't take your money because the door won't close. So you open up the machine, put a $5 bill in the cash store and take your change and your soda. Here you aren't stealing anything; you've paid the asking price. Great, we've discovered a scenario where the prohibition on unauthorized access actually does something instead of being totally redundant -- you're not authorized to open up the vending machine, so even though you didn't steal anything or do anything to harm anyone, you still accessed it without authorization. So is this the scenario where we want to impose criminal liability? I don't think so. A law prohibiting that conduct is rubbish. You want laws to prohibit doing bad things, not to prohibit doing good things that are unanticipated.
Unless I damaged/changed the machine beforehand.
If they wanted to give me a $100 bill, it is fully within their rights to do so. If I really entered $50, then I certainly did not authorize my bank to debit my account for $100.
They might have some legal grounds depending on the local legislation to request the $50 back due to their fault/mistake, but I can dispute that and the result is far from certain.
It's unfortunate you ignore it. My original question was precisely a moral question. :)
But if we're debating if the 'taker' should be punished (as in the original post), then the legal question applies. It may be wrong to abuse the opportunity, depending on the circumstances, but it would be far more wrong to put the person in jail for doing something the vendor implicitly seemed to allow.
See, for example, a family who were jailed for exactly this: http://www.guardian.co.uk/uk/2003/jan/16/rebeccaallison2
Citations welcome to this being different in other countries.
There probably needs to be a way to address the situation where someone knows the data they are accessing ought to be restricted, but your analogy throws away an awful lot of the context that is important to that discussion.
Perhaps, but IMO it's really the core moral question.
But you are right that context is important, which is why these debates go so often into what "reasonable" persons would do.
So with weev, for instance, I think a "reasonable" person could probably say that they're not really supposed to have access to so much personal data, and that they probably shouldn't have gone way the hell out of their way to get 114,000 email addresses when 4 orders of magnitude less would have sufficed to prove the vulnerability.
Now, do I think that email addresses of any kind warrant 41 months in prison? Absolutely not! But I also don't see how it's a stretch to consider that weev stepped beyond the bounds of reasonable behavior.
A good trick would be massive civil penalties for disclosing personal data to third parties. That leaves us uncomfortable with weev scraping large amounts of data but able to punish him for any damage he causes by sharing it, and it makes some potential for innocent little AT&T to share the stick.
Edit: better to say that it leaves us able to punish weev for causing damage. There is easily potential for causing more damage than could be restored by a single person.
A better one might be having a section of road connected to public roads that it is illegal to drive on.
This is still hugely problematic, because it invites discussion of the intent of the operator and the intent of the driver and ignores the part where it is not particularly difficult to put up an effective barrier.
You're confusing violating a law with violating the law. If getting "200 OK" means you were authorized and can't be convicted of unauthorized access to a computer, but you proceed to purloin credit card numbers and make fraudulent charges to them, you're still going to jail for credit card fraud.
The real issue is that "unauthorized access" is hopelessly ambiguous if you don't use the likes of protocol status codes, and totally redundant if you do.
If you get "200 OK" then you haven't made unauthorized access because you were authorized. If you get "403 FORBIDDEN" then you haven't made unauthorized access because you were denied access. That interpretation makes "unauthorized access" impossible to achieve, because if access is denied then there is no access to be unauthorized and if access is granted then it is authorized access.
The trouble is that the alternative interpretation is even worse: If you can't rely on what the machine tells you, how do you know when you're authorized? Some cases are really obvious (e.g. you are not authorized to places orders against just any random customer's credit card), but those situations are pretty much always separately illegal regardless of unauthorized access. What that leaves is the hopelessly ambiguous cases, which is what allows prosecutors to argue that violating terms of service or downloading too many journal articles is a federal felony. I'm still not convinced that those cases need to be illegal at all -- and if you can articulate a specific one that ought to be then by all means prohibit it explicitly and stop with the blanket prohibitions on whatever "unauthorized access" is supposed to mean if it doesn't mean what the machine allows you to do.
This is a good summary of the absurdity of 20th century law trying to stretch around the modern world.
One point, though: Thankfully, the Ninth and Fourth Circuits have rejected the government’s aggressive interpretation of the CFAA
The Ninth and Fourth Circuit courts just as much "the government" as the Executive branch. Most of the time, I'm thankful for that fact.
This is all ridiculous. While I understand the point of the post, and it makes for great mainstream media play, it's total hyperbole. The fact that prosecutors can do something and what they would reasonably do are two different things. To wit exceeding the speed limit by 1mph could get you a ticket but almost never gets you a speeding ticket.
People will probably almost never be prosecuted for this kind of thing, unless they're looking for an excuse to prosecute someone. I take little comfort in the idea that I'm relying on prosecutors and judges to be reasonable, and I think it's worth taking action when laws like this make arbitrary enforcement possible.
Usually it doesn't make the news because the consequences are something between having to stand up to the police in court and a 300 dollar fine. Nobody cares if you get a speeding ticket over nothing.
The way that the CFAA is written, you can levy felony charges against basically any internet user with impunity. So if the Department of Justice decides to single you out, they can hit you with crazy multi-decade felony charges for the lulz.
And then you end up on the front page of the New York times for killing yourself.
A judge would throw this out (this being either the 1mph over ticket or the 17-year-old reading Seventeen), and the prosecutor who brought it forward would end his career.
Weather this is an insult to the intelligence of their readers, or carefully calculated propaganda probably depends on who you ask.
But either way, Aaron is actually a bad example as what he was charged with was still wrong to do (even if you agree with the end result he was trying to bring about). Not "felony" wrong perhaps, but even weev would have been a better example for what you're talking about.
On the other hand, "convicted of" is something that matters to the government, not to the rest of us. I'm not going to pretend that someone didn't do something just because a jury never returned a conviction, if there's enough evidence to support the claim in question. Likewise it's possible for a jury to convict people of crimes they've never committed; I won't deign to consider someone "guilty" of something they obviously didn't do just because a jury and legal process said otherwise. I'll leave the splitting of fine hairs to the legal process.
If you think that, it's because you have latched onto the idea that Aaron was being prosecuted only for thoughtcrime, which is incorrect.
To put it quite simply, Aaron decided to gain access to networks he was quite clearly ejected from. Aaron had access to JSTOR from his own Harvard campus account, so Aaron's own actions (going so far out of his way to do so from MIT's net) indicate he thought he was doing something at least a little bit wrong.
I don't think that evading network bans by itself is necessarily a horrible offense, but I certainly don't think it's completely OK and as far as I know the law doesn't either. In fact the CFAA could apply based merely on the cost of the MIT techs' time it took to track him down, even if he never intended to copy documents.
Where intent did play a role is that it made the existing charges he could have received just for his actions more severe. But he could have wanted to donate to charity and his acts alone would have been illegal.
And, I also think they would have been morally wrong, just as I wouldn't trespass on someone's property if they asked me to leave, no matter how innocuous my purposes are otherwise.
Don't just take my word for it, even Dr. Lessig agreed with that much (that Aaron's actions could be construed as wrong): "...if what the government alleged was true — and I say “if” because I am not revealing what Aaron said to me then — then what he did was wrong. And if not legally wrong, then at least morally wrong." http://lessig.tumblr.com/post/40347463044/prosecutor-as-bull...
Doubtful, but I'd be curious to hear of any examples.
A judge would throw this out...and the prosecutor who brought it forward would end his career.
Nothing about it never happening, and no reasons besides. So, I asked, "when has a judge thrown it out and the prosecutor's career ended?" To which you replied to the effect of, "Duh! I just told you!"
A lot of this could be solved by getting rid of the misdemeanor penalty, and making it a felony only in conjunction with the commission of another felony.
Same story here. It's frankly disturbing how few people understand this.
They should stop letting 1st year law students write these ridiculous rants. Courts have almost all rejected attempts to criminalize website TOS violations. Indeed, courts have generally held that TOS is binding only against the company, since the company by the terms of the TOS is free to change the terms at will without prior notification to visitors.
Relying on courts to interpret a law the way that you happen to like seems, well, pretty goddamned stupid. Let's fix the law.
In fact, you are incorrect that "he was allowed access" in that the wire fraud counts in the indictment (page 10) is based on the idea that he should not have been given access to JSTOR in the first place. (I'm not claiming that Aaron's access to JSTOR was illegal, but rather that the case against Aaron argued his access was not allowed, while the parent argues that Aaron's case was based on the idea that he was allowed access, but was not permitted to distribute)
Your description of what the Aaron Swartz case is about is completely incongruous with the charges filed by the prosecutor.
[1] http://www.wired.com/images_blogs/threatlevel/2012/09/swartz...
I.e. he was kicked off of two different nets, MIT's and JSTOR's.
He walked into the server closet covering his face with a bicycle helmet. Whatever improvements MIT might be able to make to the message of "you're not welcome on this net", Aaron definitely received it loud and clear.
JSTOR provides unlimited access to MIT and many other schools. Anyone on the MIT network had access to JSTOR. He was not on a JSTOR network.
When JSTOR saw that one user was requesting a lot of files, they assumed a bad motive, and banned the IP address. After he got a new IP address, JSTOR contacted MIT about it, and they banned the MAC address from their wifi network.
That's just it though, that's not correct. What you might have meant was:
Everyone starts off with access to the MIT network. It is not MIT's obligation to continue to provide network services to anyone that they have a previous contract for. And even for those with contracts, it would almost certainly include boilerplate to the effect that services will be terminated for abuse of the network.
> When JSTOR saw that one user was requesting a lot of files, they assumed a bad motive, and banned the IP address.
> After he got a new IP address, JSTOR contacted MIT about it, and they banned the MAC address from their wifi network.
So you yourself admit: aaronsw started off with access to both JSTOR and MIT networks, and was explicitly kicked off of them both.
What steps did Aaron take to ensure that he was welcome on the networks again when he later tried to connect?
Someone lied to you. Did they have a reason? Did you ask?
The OP made it seem like he broke some ToS accidentally and then was somehow going to face jail time. This is certainly not the case. He deliberately accessed a network he had been banned from with clear criminal intent.
It's "reasoning" on a par with citing lawyer-spam emails as evidence of the need for tort reform.
[To clarify, since I seem to be attracting downvotes, I'm not saying there isn't a potential problem with lack of clarity over whether any ToCs can be used as a basis for criminal prosecution (or for that matter with frivolous litigation). I'm saying that highlighting an absurd ToC that nobody would be remotely interested in enforcing is a poor argument against the enforceability of ToCs per se (similarly: legal threats so spurious they're actually embarrassing don't actually say very much about civil law). Worse still, it's actually counter-productive since the lack of any interest in prosecuting absurd ToCs could be construed by those in favour of criminal penalties for ToC violation as showing the DoJ's discretion works.]
source: TFA.
I wouldn't be so sure of that. The demographic for many magazines are people aspiring to be something they're not and actively seeking to know what they should like.
e.g. The demographic for Seventeen is 10 to 16 year old girls that want to feel older and more mature; the demographic for GQ is mostly men that can't afford most of the things on display in GQ.
In the meantime, could we start a grassroots campaign to get companies to explicitly state at the top of their ToS that a violation of the ToS may be arbitrated only and does not constitute a 'unauthorized access' under CFAA?
Obviously the EFF would have to draft the exact clause, so that actual destructive hacking can still be prosecuted.
This sounds tricky, but if the EFF can't write something we could put in the ToS to protect users from the Feds trying to extort cooperation from users by abusing CFAA (a la Aaron) then how can we expect legislators to get it right?
Specifically some things the ToS should define is how "damages" will be defined, proper ways to disclose vulnerabilities, things which are NOT considered subverting access control, and a lower standard for trespass of online chattel which required actual damage or dissemination.