Well the non-virtual analog would be "malicious destruction of property", no? And if he were to say physically go over to the hospital and smash the MRI machine, would he be charged with additional crimes due to the hospital's inability to take MRIs ? So maybe this is what you mean by 'property crimes' - a specific analog for 'malicious destruction of data' or the like.

I'm not quite sure I agree that defacing a site should automatically be a felony. But that's even presently based on the dollar value of the damage caused being over $5k, right? (which seems pretty low and maybe that combined with overblown copyright maximalist valuations is the real problem). I need to brush up on what the current laws actually say; I remember them as basically do anything to a machine out of what "normal people" expect (like even just nmap) and you could technically get screwed.

I strongly agree with you that the sentencing for CFAA crimes makes no sense. You can do $300 or $5000 or $1000000 worth of damage based solely on the number you type into a for() loop. That doesn't make any sense. I have a hobbyhorse about how the Internet has made criminal mischief so easy to accomplish that people do it without thinking; that the Internet & technology are short-circuiting our judgement. I don't think that the criminality of an act should depend solely on how difficult it was to accomplish. But I also don't think sentences should scale with assessed damages. We already have a remedy that scales with damages: tort claims.

I think a more sensible regime would accelerate the severity of computer abuse based on:

* Commercial intent

* Harm to the public

* Knowing involvement of critical infrastructure

* Malicious intent

* Repeat offenses

* Attempts to obstruct investigation

Well ya know if criminal mischief is so easy to accomplish that it occurs somewhat unconsciously, maybe that sort of soft threat just needs to be viewed as the hostile background noise of a public network ;).

Yeah, scaling the sentence based on damages doesn't exactly make sense. Scaling based on damages that were intentionally caused might be a bit closer, but still has problems with the outrageous numbers for copyrighted information.

I can also see your above bullet points going very wrong. I mean, trying not to harp on it, but if we take Aaron's case (and just assume he ran afoul of this hypothetical law by changing his IP to continue to access JSTOR), how many of those would he have run afoul of? Seems like definitely Malicious and Obstruction, and could be argued PublicHarm. And it seems like most cases would involve Obstruction for things like ln -sf /dev/null ~/.bash_history. So we're once again triggering these scary sounding tests of harm for something that isn't ultimately that harmful.

I know it's a common moralization, but some test based on technical simplicity could fix a lot of the things that not-totally-malicious people would run up against.

I wrote that knowing he'd have fallen afoul of malice and obstruction (I doubt very much public harm, though). Those tests are all things I've seen in other statutes, for what it's worth. But, on the off chance that this helps clarify my mentality t you, I'm thinking we have an O(n) problem with CFAA sentencing today, and my alternative model is O(1).

He also could have gone to court with some confidence that even if a jury was so petrified by "computer hacking" and so snowed by the complexity and broadness of the law, he'd stand a very good chance of establishing that he had no true malicious intent, and that his attempts to obstruct investigation were minimal (for instance, he used Mailinator, with its prima facie artificial addresses, instead of more realistic throwaway Gmail addresses).

What sentence do you think Aaron should have been facing in court? How about someone who roots and wipes a multiuser box for revenge? How do you discriminate between the two?

I've got a hard time trying to come up with something "right" because it doesn't feel like Aaron's access should really be a crime at all, and JSTOR can go for civil damages or criminal copyright infringement. And it also doesn't feel like we need a law to punish someone for using a computer while defrauding a bank, because we've already got a law for defrauding a bank that even gets applied when you do it in person. And to the extent that one can cause purely virtual destruction (and hence not have any physical world laws apply), that should be the thing that is addressed as the primary crime, instead of having a lone charge of something that is usually bundled on top of other crimes to punish harder.

What about punishment of cracking applying solely to damage done to the cracked systems (either categorically or monetarily, and possibly including something like your tests)? This would also put someone who successfully tries an sshd exploit and then emails the administrator completely in the right - something we've never had. What scenarios would this leave completely unpunished (with no applicable laws), and can those just be fixed with similar categories?

In similar situations charges could include vandalism, losses resulting from disruption of service, etc, but in the example you have given most likely reckless/public endangerment and direct damages associated with creating or repairing the state of the system; the specific statutes would vary by jurisdiction and case details, but the CFAA doesn't say anything important that hasn't already been accounted for. At the moment people are saying "you can't do this to my data," when they should be saying "you can't do this to my body and my physical property," independent of how. The Internet is just one more way of reaching out and touching someone. People already know the effects that are worth preventing and admonishing. Copyright infringement is one effect being discouraged, not because the data are holy but because of hypothetical financial damages. Whether hypothetical damages are or aren't valid should be discussed directly, without vacuous TOS wrappers and ministrations about the moral uses of data within a network.