
Orin Kerr: Why I Am Representing Auernheimer Pro Bono on Appeal - rdl
http://www.volokh.com/2013/03/21/united-states-v-auernheimer-and-why-i-am-representing-auernheimer-pro-bono-on-appeal-before-the-third-circuit/
======
Lazare
Good to hear. I have quite a lot of respect for Kerr; he's one of the foremost
experts in this area (the intersection of the 4th ammendment with computers
and networks), and I think Weev's case is a serious injustice.

As an aside, I actually think it's clear that Weev's case is a vastly larger
injustice than Aaron Swartz's case.

Swartz clearly violated the law in an act of willing and knowing civil
disobedience. The law restricts people from unauthorized access to a network;
Swartz and the MIT network admins played a game of cat and mouse as they kept
banning him, and he kept finding new ways of gaining access to the network.
There's no way to argue Swartz didn't realize that he was gaining unauthorized
access to a network. At one point he was hiding his face from security
cameras; there's no way to spin that as "oh, he thought he was doing something
perfectly allowable!" And once caught, he was offered a reasonable plea deal.

In contrast, Weev...fairly clearly did _not_ gain unauthorized access to a
network. It was a publicly available website, and no one ever tried to stop
him. His actions were at worse borderline, and yet he ended up with a sentence
MUCH higher than Swartz.

I have a lot of sympathy for Swartz (not least because of his tragic suicide),
but at the end of the day he knowingly and wilfully violated the law in an act
of civil disobedience, and was offered a plea deal of less than a year. Weev
probably did not violate the law, and was sentenced to years in prison.

Weev needs and deserves help. I had to cheer a bit when I saw Kerr was going
to be helping him.

~~~
sigzero
Didn't he use an unpublished link? That would be "unauthorized" to me.

~~~
ghshephard
Curious - did I do something "unauthorized" by entering:

<https://news.ycombinator.com/item?id=5419914>

Into the URL bar? (One less than this article's URL)

~~~
rayiner
It's absurdly reductionist to make arguments like this. There are lots of
things that are okay or not okay based on context. Is it unauthorized to type
the above into a URL bar? Almost certainly not. Might it be unauthorized if
you type it into a URL bar, see that it contains private information that by
its nature was probably not intended to be public, then do it 10,000 more
times? Then that might be unauthorized.

There is no reason to reduce the world to absurd simplicities when even
children would be able to distinguish between various courses of action.

~~~
lifeisstillgood
Honestly I am struggling to think of an action that is ok to do once but
illegal to repeat a thousand times - you make it sound like the bad
businessmans theory - we make a loss on each item but make up for it in volume

~~~
rayiner
Try dumping one coke can on someone's yard versus 10,000.

~~~
fnordfnordfnord
Do you want my physical address. I'll take your 10,000 aluminum cans.

~~~
mpyne
Not cans. The contents of the cans.

~~~
fnordfnordfnord
In that case, either one may be littering, vandalism, or property destruction.
While it would be wasteful and silly to pursue a prosecution for one
occurrence, a single occurrence is still a crime.

~~~
mpyne
Let's go to the logical extreme then:

Is dripping one solitary drop of soda the exact same crime as inundating your
yard continuously with soda for, say, 24 hours?

------
danso
Mr. Kerr is a standup guy. Not everyone agreed with his measured defense of
prosecutorial conduct in Aaron Swartz's case
(<https://news.ycombinator.com/item?id=5053754>) but he has always been firm
in opposing the misuse of the CFAA on principled and constitutional grounds.
That he's defending someone that even the Reddit crowd despised (for personal
reasons) is a confirmation of Kerr's respect for principles.

~~~
fnordfnordfnord
>...even the Reddit crowd despised

That's a terrible standard. There are some pretty awful things said by
Redditors, especially in Weev's recent thread.

I think Kerr's defense of Weev is less for Weev's personal sake than it is for
the sake of Kerr's vocation. Either way I'm glad he is stepping up.

~~~
_delirium
Yes, that's what makes me quite trusting of his claimed motivation. Weev is
one of the less sympathetic defendants you can find in this case in general,
and is not aligned with Kerr's own politics or personality either (Kerr is
generally a moderately conservative guy, in favor of law-and-order but with
strong safeguards for liberty).

That leads me to suspect that Kerr is _especially_ worried about the
precedents here, much more than he's worried about Weev's own fate.

------
calhoun137
Many people can't imagine how what weev did is a crime according to the law,
and comments in HN threads about legal issues seem to be based on the
assumption that the legal system is a consistent set of rules, sort of like
the axioms of mathematics, in which a certain question or problem is posed and
by a correct application of the rules of the legal system it is possible to
come to a definite conclusion about what the law says. However, there is an
amazing paper which shows that in virtually every case, a "correct"
application of law actually leads to different conclusions which contradict
each other.

This excellent paper is by Karl N. Llewellyn and is called "Remarks on the
Theory of Appellate Decisions and the Ruled or Canons about how Statutes are
to be Construed"[1] I once read almost the whole thing, and the following
quote from the first page sums up his main point pretty nicely.

"The major defect in [the legal system] is a mistaken idea which many lawyers
have about it—to wit, the idea that the cases themselves in and of themselves,
plus the correct rules on how to handle cases, provide one single correct
answer to a disputed issue of law. In fact the available correct answers are
two, three, or ten. The question is: Which of the available correct answers
will the court select—and why? For, since there is always more than one
available correct answer, the court always has to select."

IIRC, he discusses the role of precedent as an important aspect of deciding
how to apply the law, but also the ability of a judge to decide to overturn a
precedent for a wide variety of reasons. He also discusses the role played by
the intention of law makers when passing law, which is ultimately a subjective
judgment made by a person, and which is not spelled out in the actual written
law itself.

The paper is considered something of a classic, and I would encourage everyone
to take a look at it.

[1]
[http://mtweb.mtsu.edu/cewillis/Hermeneutics/Llewellyn%20on%2...](http://mtweb.mtsu.edu/cewillis/Hermeneutics/Llewellyn%20on%20Canons%20of%20Interpretation.pdf)

------
jhales
I was at the sentencing and the prosecution argued that spoofing the user-
agent constituted fraud...

[https://addons.mozilla.org/en-US/firefox/addon/user-agent-
sw...](https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/)

My friend also informed me:

" HTTP has an error code, 401, for unauthorized access. AT&T responded with
code 200 meaning OK."

The more one finds out about this case the more incredible it is.

~~~
lessnonymous
This, to me, is the totality of the case: AT&T said accessing that data was
OK. If it wasn't they should have returned a 401 or challenged for further
authentication.

Incrementing a phone number by one doesn't make it illegal to call it. If the
person at the end then says "who are you" and you lie, then that's fraud. But
if they just tell you something, there's no way anyone can claim that you
obtained that information unlawfully.

~~~
AnthonyMouse
Here's the problem with all of this: If you send a sufficiently vulnerable
server a specially crafted request, you can get it to come back with "200 OK"
and a list of everybody's credit card numbers. Conversely, if you're an
employee of Foo, Inc. and you sign in to a secure server with your personal
account and try to do something privileged, it's going to come back with "401
Unauthorized" and not give you anything even though you are actually
authorized, and if you then sign in with your employee account it will allow
you to do that thing.

As a general rule what the machine says has a very strong relationship with
whether or not you're authorized to do something. The issue is that if you're
not authorized then a properly functioning machine just won't let you do it,
which means that it seems impossible for anyone to violate this law against a
server that is working properly.

The only way anyone can be capable of breaking this law is if the server is
not working properly and allows them to gain access without authorization.
Which is why "unauthorized access" is such a vague and hopeless disaster.
Going by the normal mechanism for determining whether you have authorized
access, namely whether the server allows you to do something, would mean that
no one could ever commit the crime, because either you never actually gain
unauthorized access since you're prevented by a server with sufficient
security, or you succeed in convincing the server to let you do something
which under normal circumstances implies that you're authorized.

Seemingly the only way anyone would ever be convicted is based on a pile of
circumstantial nonsense about how the defendant should have known they weren't
authorized to do something that the server allowed them to do, even though
normally you _are_ authorized to do anything the server allows you to do.

So it becomes a de facto law against "doing bad things with a computer" -- not
a specific prohibition against anything in particular, just something you
stick to anybody who you don't like, because hey, if you did something "bad"
then it wouldn't be authorized, right?

~~~
flyinRyan
> If you send a sufficiently vulnerable server a specially crafted request,
> you can get it to come back with "200 OK" and a list of everybody's credit
> card numbers.

If, if, if, if. What Weev did was spoof what kind of client he was using.
That's it. What you're suger coating here is using exploits to break into a
secure system. That is, you encounter a _secured system_ and find a way to
circumvent that security. For the data Weev encountered was there any possible
way to get a 401 response for the URLs?

~~~
AnthonyMouse
>What you're suger coating here is using exploits to break into a secure
system.

No. Because using "exploits" (not a legally defined term AFAIK) doesn't
necessarily mean that access was unauthorized. If you're the sysadmin for a
remote server that you suddenly discover you can't login to with your account
and that people are complaining that it's sending spam, and you smash the
stack on a vulnerable application running on the server in order to regain
control and shut it down, I should hope that wouldn't be "unauthorized access"
and subject to criminal penalties.

And then there's the fact that "exploit" is a fuzzy and undefined thing. Is
changing "userid=4833" to "userid=4834" to get another user's account not an
"exploit" but changing "userid=4833" to "userid=0" to get root access is? What
if the maximum userid is 65535 and if you use "userid=65536" then it rolls
back around and gives you root because it's equivalent to "userid=0" but
doesn't get rejected like "userid=0" would? This is no way for a criminal law
to operate.

>For the data Weev encountered was there any possible way to get a 401
response for the URLs?

Sure there was. If AT&T had configured their server properly then that's
exactly what it would have given him. If I wanted to introduce some irony then
I would have to ask you whether you were "blaming the victim" here.

~~~
flyinRyan
I concede that it's a bit fuzzy at the moment, but my criteria would be that
if a spider could have accidentally crawled this info then it can't be a
crime.

>Sure there was. _If AT &T had configured their server properly_ then that's
exactly what it would have given him.

That's not a valid test. If a company decides they didn't want you to see
something _after the fact_ (as in this case) they can always just claim they
didn't configured their servers how they meant to.

>If I wanted to introduce some irony then I would have to ask you whether you
were "blaming the victim" here.

What blaming the victim? The victims were the people who's data got released.
Since they trusted AT&T with it that would make AT&T responsible. Everyone is
talking about Weev but chances are he wasn't the only person on the planet to
know about this.

~~~
AnthonyMouse
>I concede that it's a bit fuzzy at the moment, but my criteria would be that
if a spider could have accidentally crawled this info then it can't be a
crime.

I don't think that works as a test either. Spiders index whatever other
websites link to. The URLs may have been trivial but if there were no public
links to them then a spider wouldn't have followed them. And then on the other
hand they _would_ be on another website if anyone (like weev) had linked to
them, which you can do just as easily with a link that will cause a buffer
overrun, and the spider will then follow it and overrun the buffer. It's
completely plausible for a search engine to provide you with a search hit
which if you click on it will cause a buffer overflow on the destination
server and give you root access to the machine, because some "hacker" posted
such a link on their site and the search engine indexed it and put it in the
database.

>That's not a valid test. If a company decides they didn't want you to see
something _after the fact_ (as in this case) they can always just claim they
didn't configured their servers how they meant to.

That's what I'm saying. _All_ prosecutions for "unauthorized access" are like
that, because if the server had been configured properly then unauthorized
access would be impossible, so when it's discovered that it was misconfigured
after the fact, the server operator wants to go back and retroactively label
the conduct as unauthorized even though their computer allowed it.

There is certainly a matter of degree as to how far you had to go out of your
way to get the server to do something you want it to do, but that is such a
hopelessly vague and meaningless line between legal and illegal actions that
(as Prof. Kerr has argued) it's potentially unconstitutional, to say nothing
of whether it makes for good policy.

>What blaming the victim? The victims were the people who's data got released.

Again, that's the point. The law is stupid. The culpable party here is AT&T
for putting its customers' info at risk. The party being imprisoned is the one
who publicized the vulnerability rather than the ones responsible for putting
it into production. I don't know if I support actual criminal penalties just
for operating a vulnerable server, but I certainly take issue with the idea
that if you do that and then someone publicizes your incompetence, you should
have the right to put them in prison for it based on some vague notion of
having gone too far in proving the point.

~~~
flyinRyan
Very well, I guess we're probably in violent agreement.

------
macchina
This is fantastic news. Hopefully this gets overturned and narrows the scope
of the CFAA to where the government can't put people in prison for exposing
security flaws on unrestricted areas of the web.

------
gruseom
Question for the local counsel: how much harder is Kerr's job made by entering
only at the appeal stage, as opposed to if he had been representing
Auernheimer from the beginning? e.g. are there issues/arguments he won't be
able to bring up now that he could have earlier?

~~~
Lazare
I can give you the general answer to that:

At the trial stage, you can argue matters of fact. Stuff like "my client was
at home in bed when the events occurred" or "those teeth marks don't evem
match his dog!"

Since we are now at the appeal stage, barring something _huge_ , all the facts
the trial court decided were true have to be assumed true. So he can't now
argue that Weev didn't actually access AT&Ts servers. All he can discuss now
is whether the court correctly applied the law to the facts it determined at
trial, and that means...

...that it won't hamper Kerr at all. The facts here aren't disputed; everyone
agrees on what Weev did, how AT&Ts servers were configured, where Weev was,
where the servers were, how AT&T responded to the breach. The dispute is
entirely down to how the court applied the law (or indeed, whether it was even
in the right court), and that's stuff which is best addressed (in some ways,
only addressable) at the appeal level.

TL;DR: It doesn't make Kerr's job harder at all; in fact he can only do his
job at the appeal stage, as his concerns are very much with the trial courts
decision, not with the facts the court based that decision on.

~~~
redthrowaway
So if the Appeals court can only decide if the law was applied correctly, does
that mean it would have to go to the Supreme Court in order to determine if
the law is constitutional?

~~~
mcherm
No, any court can decide if the law is applied correctly or decide that a law
is unconstitutional -- in fact, the lowest level of court can overturn any
law. They are, however, required to apply the law correctly, including follow
precedent set by any courts superior to them.

Normally appeals courts only handle the question of whether the lower court
applied the law correctly, and assume that the lower court interpreted the
facts right. This is because normally (there are a few VERY rare exceptions)
it is not legally permitted to appeal on the grounds that the court or the
jury got the facts wrong... only on the grounds that the law was applied
incorrectly.

------
javert
I hadn't been following this case, but this was interesting.

Why has the federal government turned into such a bully? This feels like a
threat to all honest citizens.

~~~
smsm42
Why? Because the honest citizens allowed it to. Sometimes actually begged it
to.

------
mikesena
This is ridiculous.

I'm all for the representation, but I'm against the trolling nature of HN and
alike.

Look at the comments posted the other day. You hated this kid. And still hate
him. Only because he claimed to be bigger than he thought he was, which is
true.

But, an injustice was still done. Yes, the guy is a tool. A big tool. And he's
lucky to have this opportunity. But grow some balls HN. Either flame him
again, or apologise, because now saying "Yes he was mistreated" is just
flawed.

~~~
georgemcbay
I never commented on previous weev stories but I think it is completely
rational to believe both that he's a giant asshole and also that he was
mistreated by receiving a huge prison term for something that I can barely see
as a crime, let alone a serious one.

Where's the flaw in thinking both of these things?

------
chetanahuja
Wildly extrapolating from current trends : (Old, out of touch, heavy handed
government officials, increasing complexity of technology landscape,
anonymous, bitcoin, various governments creating secret "cyber-war" units,
stuxnet etc..) we're heading to a breakdown and reconfiguration of the entire
power balance between the "lawyer-types" who run the government now and the
hacker types who are mostly relegated to the sidelines of the society for now.
I remember seeing footage of a congressional sessions (just after SOPA was
sidelined) where the phrase "let's call in the nerds" was used repeatedly.
Then there's crap like this [http://www.volokh.com/2013/03/13/i-dont-really-
understand-wh...](http://www.volokh.com/2013/03/13/i-dont-really-understand-
why-you-want-to-be-protective-of-the-hackers/)

This is not a sustainable power structure and it's going to change. Let's hope
the transition is peaceful and gradual for everybody's sake.

~~~
kyboren
You think this is new? DoD delegated "Information Warfare" (what would now be
called 'cyberwar') duties to NSA in 1997. In fact, the reconfiguration of the
power structure is explicitly touched upon in NSA's own journal Cryptolog, in
the Spring 1997 issue (Vol. XXIII, No. 1) --
<http://cryptome.org/2013/03/cryptologs/cryptolog_136.pdf>.

------
smsm42
>>>> Importantly, however, only e-mail addresses were obtained. No names or
passwords were obtained, and no accounts were actually accessed.

Why is it important? If, as Orin Kerr claims, emails were public information,
so were names and passwords, if stored under the same scheme. So if he
accessed names and passwords, it would be also authorized access by the same
logic. But it seems to me somehow Orin Kerr feels the weakness in this
argument. Since he doesn't really expects people to believe that if you find a
hole in a site that allows downloading account passwords via exploiting some
vulnerability in HTTP server sending it some specially crafted data - he feels
that it is necessary to emphasize that passwords weren't accessed. But many
people consider their personal email no less private than their password - so
if it wasn't OK to take the password (and by emphasizing that no passwords
were taken Orin Kerr seems to implicitly admit it would be important if the
passwords were taken) then it also wasn't OK to take the emails.

On the question of felony though he may have a point. Felony is a grave crime
that renders the criminal second-class citizen long after the prison term has
been served. I think for non-violent crime that did not result in actual grave
harm it is too much, and while I remain unsympathetic to Auernheimer's person,
I think if Orin Kerr succeeds in somehow reducing it to lesser grade (or cause
a change in the law that leads to that) it would be great.

~~~
smsm42
Interestingly enough, whoever downvoted it didn't bother to counter-argument.
Because yeah, why bother?

~~~
jessaustin
I upvoted your top comment but I'm definitely downvoting this whinging about
downvoting. That shit has to stop, or HN will become truly unreadable.

~~~
smsm42
I'm not whining about downvoting, I'm whining about people not willing to
participate in proper discussion but still voting. What's the point in the
whole system then?

------
rdl
I wonder if Marcia Hofmann is doing this individually (and pro bono) or as
EFF.

------
nookiemonster
Hey, here's a cool story about Weev: He's totally the kind of guy society
should tolerate.

<http://bedizen.livejournal.com/258763.html>

~~~
flyinRyan
Go back to 4chan or reddit please. The law isn't your personal playground to
arrest people you don't like. Accessing a public URL isn't a crime. Nor is
being an asshole (of which you should be very glad!).

