Pollution is also inconsistently regulated around the world. We should definitely look into getting rid of those rules; all we're doing is hamstringing our own industry while the smart people just find ways to offshore their offenses. Mercury poisoning for everyone!
Copying shouldn't be a felony under the CFAA. To the extent that prosecutors find ways to bring civil torts to federal court as CFAA felony charges, that needs to change. But in fact, that's the opposite of what Robert is recommending in this post: he thinks that we remove the computer abuse element of the crime and focus on the property crime issue.
Isn't the major property of the entire CFAA is that it makes civil torts into federal felonies? It's not about focusing on just the property crimes, but any other crime done by exploiting a computer. Crack a hospital and shut off a ventilator? That's murder 1, 2, or 3.
As for pure computer tampering, what should the appropriate criminal penalty be for say breaking into HN and putting a banner at the top of everyone's page? Sounds an awful like misdemeanor territory to me.
Imagine a very angry 22 year old is fired from his IT job at a hospital, has his credentials revoked, and uses his knowledge of vulnerabilities at his old work site to log in and rm a bunch of servers. Imagine that as a result, the hospital is unable to enroll patients or to get MRI results back or things like that. Without CFAA, what crime has been committed?
The appropriate penalty for defacing a website should probably be very low. Defacing sites should be criminal, and probably a felony, but the bulk of the remedy should be civil.
Well the non-virtual analog would be "malicious destruction of property", no? And if he were to say physically go over to the hospital and smash the MRI machine, would he be charged with additional crimes due to the hospital's inability to take MRIs ? So maybe this is what you mean by 'property crimes' - a specific analog for 'malicious destruction of data' or the like.
I'm not quite sure I agree that defacing a site should automatically be a felony. But that's even presently based on the dollar value of the damage caused being over $5k, right? (which seems pretty low and maybe that combined with overblown copyright maximalist valuations is the real problem). I need to brush up on what the current laws actually say; I remember them as basically do anything to a machine out of what "normal people" expect (like even just nmap) and you could technically get screwed.
I strongly agree with you that the sentencing for CFAA crimes makes no sense. You can do $300 or $5000 or $1000000 worth of damage based solely on the number you type into a for() loop. That doesn't make any sense. I have a hobbyhorse about how the Internet has made criminal mischief so easy to accomplish that people do it without thinking; that the Internet & technology are short-circuiting our judgement. I don't think that the criminality of an act should depend solely on how difficult it was to accomplish. But I also don't think sentences should scale with assessed damages. We already have a remedy that scales with damages: tort claims.
I think a more sensible regime would accelerate the severity of computer abuse based on:
Well ya know if criminal mischief is so easy to accomplish that it occurs somewhat unconsciously, maybe that sort of soft threat just needs to be viewed as the hostile background noise of a public network ;).
Yeah, scaling the sentence based on damages doesn't exactly make sense. Scaling based on damages that were intentionally caused might be a bit closer, but still has problems with the outrageous numbers for copyrighted information.
I can also see your above bullet points going very wrong. I mean, trying not to harp on it, but if we take Aaron's case (and just assume he ran afoul of this hypothetical law by changing his IP to continue to access JSTOR), how many of those would he have run afoul of? Seems like definitely Malicious and Obstruction, and could be argued PublicHarm. And it seems like most cases would involve Obstruction for things like ln -sf /dev/null ~/.bash_history. So we're once again triggering these scary sounding tests of harm for something that isn't ultimately that harmful.
I know it's a common moralization, but some test based on technical simplicity could fix a lot of the things that not-totally-malicious people would run up against.
I wrote that knowing he'd have fallen afoul of malice and obstruction (I doubt very much public harm, though). Those tests are all things I've seen in other statutes, for what it's worth. But, on the off chance that this helps clarify my mentality t you, I'm thinking we have an O(n) problem with CFAA sentencing today, and my alternative model is O(1).
He also could have gone to court with some confidence that even if a jury was so petrified by "computer hacking" and so snowed by the complexity and broadness of the law, he'd stand a very good chance of establishing that he had no true malicious intent, and that his attempts to obstruct investigation were minimal (for instance, he used Mailinator, with its prima facie artificial addresses, instead of more realistic throwaway Gmail addresses).
What sentence do you think Aaron should have been facing in court? How about someone who roots and wipes a multiuser box for revenge? How do you discriminate between the two?
I've got a hard time trying to come up with something "right" because it doesn't feel like Aaron's access should really be a crime at all, and JSTOR can go for civil damages or criminal copyright infringement. And it also doesn't feel like we need a law to punish someone for using a computer while defrauding a bank, because we've already got a law for defrauding a bank that even gets applied when you do it in person. And to the extent that one can cause purely virtual destruction (and hence not have any physical world laws apply), that should be the thing that is addressed as the primary crime, instead of having a lone charge of something that is usually bundled on top of other crimes to punish harder.
What about punishment of cracking applying solely to damage done to the cracked systems (either categorically or monetarily, and possibly including something like your tests)? This would also put someone who successfully tries an sshd exploit and then emails the administrator completely in the right - something we've never had. What scenarios would this leave completely unpunished (with no applicable laws), and can those just be fixed with similar categories?
In similar situations charges could include vandalism, losses resulting from disruption of service, etc, but in the example you have given most likely reckless/public endangerment and direct damages associated with creating or repairing the state of the system; the specific statutes would vary by jurisdiction and case details, but the CFAA doesn't say anything important that hasn't already been accounted for. At the moment people are saying "you can't do this to my data," when they should be saying "you can't do this to my body and my physical property," independent of how. The Internet is just one more way of reaching out and touching someone. People already know the effects that are worth preventing and admonishing. Copyright infringement is one effect being discouraged, not because the data are holy but because of hypothetical financial damages. Whether hypothetical damages are or aren't valid should be discussed directly, without vacuous TOS wrappers and ministrations about the moral uses of data within a network.
To clarify, by your own assertion, the CFAA isn't necessary to address specific claims of damage (you have suggested copyright). Removing it would place the justification of damage (for example, copyright) back at the center of the debate, where I think it should be.
1. You're hellbanned. By the looks of it, starting from a comment that shouldn't even have been that inflammatory (email pg. really.).
2. As to your comment and profile message:
I think a lot of what pushed the conversation towards "mob justice" instead of "whether his actions should even have been a crime" is that idealistic hackers have been making the argument to get rid of the CFAA and all other open-ended "unauthorized access" laws for quite some time, and are generally dismissed as unreasonable trolls. So rather than bringing up that same point again (which will still get dismissed out of hand by most people - I mean most people think that "identity theft" is actually a real thing!), "we" have to proceed on the assumption that those terrible laws are here to stay until digital natives become the majority, and can only hope to punish the prosecutorial bullying that made the threat of a three decade incarceration the price for a jury trial.
a comment that shouldn't even have been that inflammatory
A comment to the effect of "innocent people don't commit suicide"? That's pretty obnoxious in the best of times. In the current context the result is not so surprising.
I don't advocate hellbanning for any specific person, but the practice itself is so amusing that I'm glad it exists. Perhaps HN's implementation is not subtle enough, if the hellban target notices so quickly.
Honestly I've always found 90% of his comments annoying lawyer status-quoism. And yeah I'm just noticing that the two comments before before the deadened ones are quite hostile.
But, his comment in this thread:
> Agreed. The solution to a bad law is usually to get rid of the law and start again from the ground-up. Amending a law leaves open the possibility of missing out on critical flaws.
Part of profile when I first clicked:
> A guilty man killed himself, and drove the Interwebz into a frenzy. The discussion should be about whether his actions should even have been a crime, and what society could do better to prevent future suicides. Instead, most of HN, including some of its most "respected" members have been demanding mob justice of the prosecutors handling the case.
So my curiosity has been piqued. Perhaps it's too early and heels are still dug in, but what are the practical concerns for fixing these open ended extremely harsh laws? Clearly removing TOSs from the scope of "authorization" fixes something major, but it's certainly not the whole story and I personally don't think it would have prevented Aaron's predicament.
Perhaps it's too early and heels are still dug in, but what are the practical concerns for fixing these open ended extremely harsh laws? Clearly removing TOSs from the scope of "authorization" fixes something major, but it's certainly not the whole story and I personally don't think it would have prevented Aaron's predicament.
If part 4 of http://www.volokh.com/2013/01/16/the-criminal-charges-agains... has any truth to it, we really don't want legislation about the TOS authorization issue when we have good precedent for that, and the prospect of a Supreme Court case that solves the problem more cleanly than legislation would.
The suggested legislative fixes that Orrin Kerr recommends seem reasonable to me. I'd personally like to see more informed commentary on that issue.
-----
On rprasad, he made enough clearly wrong assertions about the law from personal authority that I had him on a list of people to assume by default they are wrong. However I still make a point of trying to listen to and engage people I disagree with. (Sometimes to my grief.) I'm not unhappy that he's gone, but if he chose, I think he could have made good contributions to HN.
I strongly suspect that he'd have much more nasty things to say about me than what I just said about him.
This sentiment will really annoy the old folks. The law doesn't "work" because it can't. In the future, when more of life is like life online, we might be less "safe", but we'll be more free.
You'll be free to spend a lot more time worrying about offending people with time or resource advantages who will retaliate by disrupting your life online. But don't worry, I'm sure everybody who could fuck you over online will always share your beliefs.
Really, though, after the last couple of years it seems reasonable for USA citizens to feel more threatened than protected by the CFAA, whether they're activists or they just choose to change their MAC occasionally.
I've drawn the opposite conclusion from the last 2 years.
Nobody has been charged under CFAA simply for changing their MAC address. When you try to turn the Swartz case into a slogan like that, you do your whole argument a disservice, because your slogan is trivially refuted.
I'll be less terse: the odds that any American's life is going to be disrupted by someone who would violate the CFAA is much higher than the odds that a federal prosecutor would bring a CFAA case against them.
I am not arguing that the CFAA doesn't badly need fixes. The zeitgeist seems to say that the big problem is criminalization of ToS violations (which was in the wake of Lori Drew inevitably going to stop being the case anyways), but I think the real problem is the sentencing rules that follow CFAA convictions.
What about the odds that one's life is going to be disrupted by someone who would violate the CFAA but no other laws (also then multiplied by the chance of said violation actually being successfully investigated and prosecuted) versus the everpresent odds of one's life being disrupted by someone outside of the reach of the CFAA ?
I think the globalization issue is a little bit overblown, since most other western countries have similar laws, and a huge fraction of the online crime that affects Americans originates from the west.
And what about those in the west that will really never get caught? I mean presumably one of the reason sentences are so high is because enforcement is so hit or miss, even though higher sentences don't deter people who think they're invincible.
Agree: it is a problem that it's so difficult to investigate computer crime that the unfortunate few who get caught also deal with all of society's pent up frustrations. We can address that by fixing sentencing.
Is the CFAA an effective deterrent to this sort of disruption? If the disruption is economic in nature (banking, credit card etc.), the guilty party is likely overseas. If the disruption is of a personally embarrassing nature, prosecution will only occur if the victim is famous. If the disruption is "tragic" (Lori Drew etc.), we probably don't want the law to address it.
I agree that sentencing rules are a serious problem, but that problem is much more general than the CFAA. We have entirely too many people in prison.
No, it's not an effective deterrent, and that's an ambient public policy problem that probably contributed to Aaron's maltreatment. Every prosecutor in the country has to be painfully aware of the absurdly low percentage of computer crimes that are ever properly investigated, let alone convicted and sentenced under CFAA. As a result, when we get our talons into one unlucky person, they tend to get walloped.
The response to that can't be to make genuine intrusions harder to prosecute. That's the opposite direction we need to go. But regardless of that fact, there's no reason we need to be dangling 5 year sentences in front of first-time offenders.
The law [not "The Law"] referenced in the title, of course: CFAA. Like all USA laws, it can only be regularly enforced within the USA. Since many threats are based outside the USA, this crudely-designed law harms domestic innovation more than it reduces the overall security threat. This is covered in TFA.
Numerous security researchers complained that the Weev/ATT case had unfortunate implications for security research. I'd argue it had even worse implications for the customers of companies whose calls US Attorneys will take. When they call the prosecutors rather than their IT staff, the customer suffers. Reasonable people can disagree about the proper form of disclosure, but surely the CFAA doesn't contribute constructively to that conversation.
I'm not happy with the idea that an IRC log taken out of context created a conspiracy conviction for Auernheimer, but that said, this is a bit of a false dichotomy. The options aren't simply "silently tell the company" and "publicly shame the company by publishing sensitive data". There's also "tell the company and present a timeline in which you're going to alert the press of the vulnerability without publishing personal information of any sort"; that option is the gold standard used by security researchers.
Having said all that: testing for vulnerabilities in other people's deployed web applications is fraught and should be so. If you think consumers should be entitled to know about vulnerabilities, tell them to use only applications with a published disclosure policy, like Google and Facebook and 37signals have.
Indeed that is excellent advice. I'm not sure what one's options are with respect to mobile phone service (this seems like the sort of thing "Ting" might do), but I'd avoid ATT.
