
Aaron's Law: repeal CFAA rather than amend it - jessaustin
http://erratasec.blogspot.com/2013/01/aarons-law-get-rid-of-cfaa.html
======
tptacek
Pollution is also inconsistently regulated around the world. We should
definitely look into getting rid of those rules; all we're doing is
hamstringing our own industry while the smart people just find ways to
offshore their offenses. Mercury poisoning for everyone!

~~~
vy8vWJlco
I've never heard of death by copying. :)

~~~
tptacek
Copying shouldn't be a felony under the CFAA. To the extent that prosecutors
find ways to bring civil torts to federal court as CFAA felony charges, _that_
needs to change. But in fact, that's the opposite of what Robert is
recommending in this post: he thinks that we remove the computer abuse element
of the crime and focus on the property crime issue.

~~~
mindslight
Isn't _the_ major property of the entire CFAA is that it makes civil torts
into federal felonies? It's not about focusing on just the property crimes,
but any other crime done by exploiting a computer. Crack a hospital and shut
off a ventilator? That's murder 1, 2, or 3.

As for pure computer tampering, what _should_ the appropriate criminal penalty
be for say breaking into HN and putting a banner at the top of everyone's
page? Sounds an awful like misdemeanor territory to me.

~~~
tptacek
Imagine a very angry 22 year old is fired from his IT job at a hospital, has
his credentials revoked, and uses his knowledge of vulnerabilities at his old
work site to log in and rm a bunch of servers. Imagine that as a result, the
hospital is unable to enroll patients or to get MRI results back or things
like that. Without CFAA, what crime has been committed?

The appropriate penalty for defacing a website should probably be very low.
Defacing sites should be criminal, and probably a felony, but the bulk of the
remedy should be civil.

~~~
mindslight
Well the non-virtual analog would be "malicious destruction of property", no?
And if he were to say physically go over to the hospital and smash the MRI
machine, would he be charged with additional crimes due to the hospital's
inability to take MRIs ? So maybe this is what you mean by 'property crimes' -
a specific analog for 'malicious destruction of data' or the like.

I'm not quite sure I agree that defacing a site should automatically be a
felony. But that's even presently based on the dollar value of the damage
caused being over $5k, right? (which seems pretty low and maybe that combined
with overblown copyright maximalist valuations is the real problem). I need to
brush up on what the current laws _actually say_ ; I remember them as
basically do anything to a machine out of what "normal people" expect (like
even just nmap) and you could technically get screwed.

~~~
tptacek
I strongly agree with you that the sentencing for CFAA crimes makes no sense.
You can do $300 or $5000 or $1000000 worth of damage based solely on the
number you type into a for() loop. That doesn't make any sense. I have a
hobbyhorse about how the Internet has made criminal mischief so easy to
accomplish that people do it without thinking; that the Internet & technology
are short-circuiting our judgement. I don't think that the criminality of an
act should depend solely on how difficult it was to accomplish. But I also
don't think sentences should scale with assessed damages. We already have a
remedy that scales with damages: tort claims.

I think a more sensible regime would accelerate the severity of computer abuse
based on:

* Commercial intent

* Harm to the public

* Knowing involvement of critical infrastructure

* Malicious intent

* Repeat offenses

* Attempts to obstruct investigation

~~~
mindslight
Well ya know if criminal mischief is so easy to accomplish that it occurs
somewhat unconsciously, maybe that sort of soft threat just needs to be viewed
as the hostile background noise of a public network ;).

Yeah, scaling the sentence based on damages doesn't exactly make sense.
Scaling based on damages that were intentionally caused might be a bit closer,
but still has problems with the outrageous numbers for copyrighted
information.

I can also see your above bullet points going very wrong. I mean, trying not
to harp on it, but if we take Aaron's case (and just assume he ran afoul of
this hypothetical law by changing his IP to continue to access JSTOR), how
many of those would he have run afoul of? Seems like definitely Malicious and
Obstruction, and could be argued PublicHarm. And it seems like most cases
would involve Obstruction for things like ln -sf /dev/null ~/.bash_history. So
we're once again triggering these scary sounding tests of harm for something
that isn't ultimately that harmful.

I know it's a common moralization, but some test based on technical simplicity
could fix a lot of the things that not-totally-malicious people would run up
against.

~~~
tptacek
I wrote that knowing he'd have fallen afoul of malice and obstruction (I doubt
very much public harm, though). Those tests are all things I've seen in other
statutes, for what it's worth. But, on the off chance that this helps clarify
my mentality t you, I'm thinking we have an O(n) problem with CFAA sentencing
today, and my alternative model is O(1).

He also could have gone to court with some confidence that even if a jury was
so petrified by "computer hacking" and so snowed by the complexity and
broadness of the law, he'd stand a very good chance of establishing that he
had no true malicious intent, and that his attempts to obstruct investigation
were minimal (for instance, he used Mailinator, with its prima facie
artificial addresses, instead of more realistic throwaway Gmail addresses).

~~~
mindslight
What sentence do you think Aaron should have been facing in court? How about
someone who roots and wipes a multiuser box for revenge? How do you
discriminate between the two?

I've got a hard time trying to come up with something "right" because it
doesn't feel like Aaron's access should really be a crime at all, and JSTOR
can go for civil damages or criminal copyright infringement. And it also
doesn't feel like we need a law to punish someone for using a computer while
defrauding a bank, because we've already got a law for defrauding a bank that
even gets applied when you do it in person. And to the extent that one can
cause purely virtual destruction (and hence not have any physical world laws
apply), _that_ should be the thing that is addressed as the primary crime,
instead of having a lone charge of something that is usually bundled on top of
other crimes to punish harder.

What about punishment of cracking applying solely to damage done to the
cracked systems (either categorically or monetarily, and possibly including
something like your tests)? This would also put someone who successfully tries
an sshd exploit and then emails the administrator _completely in the right_ \-
something we've _never_ had. What scenarios would this leave completely
_unpunished_ (with _no_ applicable laws), and can those just be fixed with
similar categories?

------
mindslight
@rprasad:

1\. You're hellbanned. By the looks of it, starting from a comment that
shouldn't even have been that inflammatory (email pg. really.).

2\. As to your comment and profile message:

I think a lot of what pushed the conversation towards "mob justice" instead of
"whether his actions should even have been a crime" is that idealistic hackers
_have_ been making the argument to get rid of the CFAA and all other open-
ended "unauthorized access" laws for quite some time, and are generally
dismissed as unreasonable trolls. So rather than bringing up that same point
again (which will still get dismissed out of hand by most people - I mean most
people think that "identity theft" is actually a real thing!), "we" have to
proceed on the assumption that those terrible laws are here to stay until
digital natives become the majority, and can only hope to punish the
prosecutorial bullying that made the threat of a three decade incarceration
the price for a jury trial.

~~~
jessaustin
_a comment that shouldn't even have been that inflammatory_

A comment to the effect of "innocent people don't commit suicide"? That's
pretty obnoxious in the best of times. In the current context the result is
not so surprising.

I don't advocate hellbanning for any specific person, but the practice itself
is so amusing that I'm glad it exists. Perhaps HN's implementation is not
subtle enough, if the hellban target notices so quickly.

~~~
mindslight
Honestly I've always found 90% of his comments annoying lawyer status-quoism.
And yeah I'm just noticing that the two comments before before the deadened
ones are quite hostile.

But, his comment in this thread:

> _Agreed. The solution to a bad law is usually to get rid of the law and
> start again from the ground-up. Amending a law leaves open the possibility
> of missing out on critical flaws._

Part of profile when I first clicked:

> _A guilty man killed himself, and drove the Interwebz into a frenzy. The
> discussion should be about whether his actions should even have been a
> crime, and what society could do better to prevent future suicides. Instead,
> most of HN, including some of its most "respected" members have been
> demanding mob justice of the prosecutors handling the case._

So my curiosity has been piqued. Perhaps it's too early and heels are still
dug in, but what are the practical concerns for fixing these open ended
extremely harsh laws? Clearly removing TOSs from the scope of "authorization"
fixes something major, but it's certainly not the whole story and I personally
don't think it would have prevented Aaron's predicament.

~~~
btilly
_Perhaps it's too early and heels are still dug in, but what are the practical
concerns for fixing these open ended extremely harsh laws? Clearly removing
TOSs from the scope of "authorization" fixes something major, but it's
certainly not the whole story and I personally don't think it would have
prevented Aaron's predicament._

If part 4 of [http://www.volokh.com/2013/01/16/the-criminal-charges-
agains...](http://www.volokh.com/2013/01/16/the-criminal-charges-against-
aaron-swartz-part-2-prosecutorial-discretion/) has any truth to it, we really
don't want legislation about the TOS authorization issue when we have good
precedent for that, and the prospect of a Supreme Court case that solves the
problem more cleanly than legislation would.

The suggested legislative fixes that Orrin Kerr recommends seem reasonable to
me. I'd personally like to see more informed commentary on that issue.

\-----

On rprasad, he made enough clearly wrong assertions about the law from
personal authority that I had him on a list of people to assume by default
they are wrong. However I still make a point of trying to listen to and engage
people I disagree with. (Sometimes to my grief.) I'm not unhappy that he's
gone, but if he chose, I think he could have made good contributions to HN.

I strongly suspect that he'd have much more nasty things to say about me than
what I just said about him.

------
jessaustin
This sentiment will really annoy the old folks. The law doesn't "work" because
it can't. In the future, when more of life is like life online, we might be
less "safe", but we'll be more free.

~~~
tptacek
You'll be free to spend a lot more time worrying about offending people with
time or resource advantages who will retaliate by disrupting your life online.
But don't worry, I'm sure everybody who could fuck you over online will always
share your beliefs.

~~~
jessaustin
Retaliate for what? I'm a nice guy!

Really, though, after the last couple of years it seems reasonable for USA
citizens to feel more threatened than protected by the CFAA, whether they're
activists or they just choose to change their MAC occasionally.

~~~
tptacek
I've drawn the opposite conclusion from the last 2 years.

Nobody has been charged under CFAA simply for changing their MAC address. When
you try to turn the Swartz case into a slogan like that, you do your whole
argument a disservice, because your slogan is trivially refuted.

~~~
jessaustin
OK, I'll stipulate that you don't feel threatened by the CFAA. In what sense
do you feel protected by it?

~~~
tptacek
I'll be less terse: the odds that any American's life is going to be disrupted
by someone who would violate the CFAA is much higher than the odds that a
federal prosecutor would bring a CFAA case against them.

I am not arguing that the CFAA doesn't badly need fixes. The zeitgeist seems
to say that the big problem is criminalization of ToS violations (which was in
the wake of Lori Drew inevitably going to stop being the case anyways), but I
think the real problem is the sentencing rules that follow CFAA convictions.

~~~
mindslight
What about the odds that one's life is going to be disrupted by someone who
would violate the CFAA but no other laws (also then multiplied by the chance
of said violation actually being successfully investigated and prosecuted)
versus the everpresent odds of one's life being disrupted by someone outside
of the reach of the CFAA ?

~~~
tptacek
I think the globalization issue is a little bit overblown, since most other
western countries have similar laws, and a huge fraction of the online crime
that affects Americans originates from the west.

~~~
mindslight
And what about those in the west that will really never get caught? I mean
presumably one of the reason sentences are so high is because enforcement is
so hit or miss, even though higher sentences don't deter people who think
they're invincible.

~~~
tptacek
Agree: it is a problem that it's so difficult to investigate computer crime
that the unfortunate few who get caught also deal with all of society's pent
up frustrations. We can address that by fixing sentencing.

------
greghinch
I wouldn't hold my breath, but it's a nice idea.

