
How Weev's prosecutors are making up the rules - kotharia
http://blog.erratasec.com/2013/09/how-weevs-prosecutors-are-making-up.html
======
tptacek
One of our many lawyers can relate to us how meaningful the complaint about
the word count in the prosecution's brief is. Maybe it's a big deal; I have
absolutely no clue about that point.

But the central argument to me in this piece is that the DOJ is simply
criminalizing URL editing. That is to me a gross oversimplification of what's
happened. The CFAA is constructed not to criminalize accidental or reckless
unauthorized access, but instead using a "knowing" standard. The DOJ's
argument in the Aurenheimer case is that the defendant was aware that he
shouldn't have had access to information tied to ICC-IDs, just as he'd have
been aware had he tried to loop through Social Security Numbers in some other
application.

There are plenty of sane arguments (see Orin Kerr† for a good survey) that
what Aurenheimer did shouldn't have constituted unauthorized access. I don't
actually happen to agree with any of the ones I've heard, but, more
importantly, I have a hard time believing that those arguments are so
dispositive that they indicate malfeasance on the part of prosecutors.

To me, the central problem with the CFAA isn't that it's easy to trip. Rather,
it's that the sentencing is totally out of whack, in two ways: (1) that CFAA
reacts in a particularly noxious catalytic way with other criminal statutes to
accelerate minor infractions into significant felonies, and (2) that sentences
scale with "damages", which have the effect of creating sentences that scale
with the number of iterations in a for(;;) loop, which is nonsensical.

The problem is not simply that once prosecuted, defendants face unjust
sentences. It's worse: the oversentencing creates a perverse incentive for
prosecutors, turning run-of-the-mill incidents into high-profile vanity cases
that lock the DOJ into pointlessly aggressive prosecutions.

To me, it makes sense that what Aurenheimer did should have been illegal, but
it makes no sense at all that he's serving a custodial sentence over it.

(I did read the whole article; I didn't find the user-agent and responsible
disclosure points particularly compelling, but maybe you did; I'm happy to
opine about them as well. It's my judgement, not the article's overt wording,
that the argument revolves around URL editing.)

† [http://www.volokh.com/2013/01/28/more-thoughts-on-the-six-
cf...](http://www.volokh.com/2013/01/28/more-thoughts-on-the-six-cfaa-
scenarios-about-authorized-access-vs-unauthorized-access/)

~~~
rayiner
I think my thoughts on the CFAA have evolved. I agree it's not easy to trip. I
agree sentences are the problem. But as far as I can tell, the US Sentencing
Commission is full of crazy people. The Sentencing Guidelines are bizarre. And
the whole process has caused judges to abdicate their good sense and anchor
their sentences to this messed up document.

If we can't trust sentencing as a process, and I'm beginning to believe we
can't, maybe sensible laws can nonetheless be ultimately unreasonable in
context.

~~~
pseingatl
Where were you when the Sentencing Guidelines were proposed in 1987? When they
became law on November 1, 1989? The guidelines at that time were all about
throwing drug dealers into jail for extended periods, but because you weren't
a drug dealer, so what? Now those same guidelines are being used against
average computer users. Because they said nothing before, it's too late now.
What was the quote from the German pastor Niemoller? "First they came for the
Socialists..."

~~~
dctoedt
> _Where were you_ [@rayiner] _when the Sentencing Guidelines were proposed in
> 1987? When they became law on November 1, 1989?_

Judging from the on-line information available about him, he was three years
old, or thereabouts.

~~~
tptacek
That. is. no. _excuse_.

------
anigbrowl
_But while they can edit the URL, most people don 't. For that reason,
prosecutors insists that it's illegal. On page 32, they describe a
hypothetical "judicial law clerk" who is a "reasonably sophisticated computer
user". They point out that this clerk would search in vain for hyperlinks, and
thus, not be able to access the information since such hyperlinks don't exist.

This is a clever trick of the prosecutors. It exploits the fact that the way
the judge is going to handle this case is to give the brief to the young clerk
who spends a lot of time on Facebook, where "heavy Facebook use" is the proxy
for "reasonably sophisticated computer user"._

HN user Rayiner is a law clerk in a US appeals court, and he's pretty handy
with assembler from wha tI recall. This is a ridiculous straw man argument
what badly misrepresents the claims in the brief.

Overall, I think this article is terribly poorly written. An inability to
handle basic grammar is not a good foundation for parsing legal arguments, and
much of the author's argument is predicated on the assumption that lawyers and
judges do not understand computers.

~~~
ericd
Do you think Rayiner is representative of law clerks in general?

~~~
anigbrowl
No, but nor do I think much of the author's snide dismissal of law clerks as
'people who use Facebook a lot,' (and who, by implication, are incapable of
parsing the defense team's arguments). This is a popular trope on HN, but not
a very well-founded one. There is intense competition for clerking
assignments, which means they go mostly to the cream of the academic crop, and
good law students and lawyers are the kind of people who are able to
accurately assess their own level of knoweldge on a particular subject and
rectify it through research, because their professional reputation depends on
the ability to do so.

Frankly, I would trust a law clerk who knew nothing about computers to
understand the subject better after study than I would a programmer who knew
nothing about law.

~~~
ericd
I agree with your opinion of law clerks as generally competent people, which
probably extends somewhat to technology with the younger set.

That said, I know a lot of young, competent engineers and scientists who know
next to nothing about the workings of computers and networks. They could
figure out a lot if they had the time to put into it (I've seen a couple
switch into development successfully), but usually they don't and their
knowledge is of the surface-level stuff. That could still help with gut checks
about what's reasonable behavior online for a casual user, but it's far from
the nuanced understanding necessary to understand the ramifications of and
make calls about things like the various applications of the CFAA in cases
involving more advanced users.

Most people are not curious about technology and generally don't have a good
understanding other people's curiosity about the subject. Should they be the
ones to judge whether someone was just playing around or trying to attack
something? Or should it be people with that curiosity who have had experience
in playing around with security?

I would say that programmers' interpretation of the law via intent and current
context in tech cases is frequently more consistent with what a just society
needs than most judges' attempts at maintaining consistency with past rulings
until a higher circuit corrects the precedent. I wouldn't dismiss the whole
class as overenthusiastic amateurs.

I may just not be seeing the value in the judges' attempts at finding
consistency, though, and I'm curious as to why they strive so hard for it
versus trying to find the correct interpretation. My understanding is that
that's just an attribute of the common law system. If someone could tell me
why that's valuable (perhaps for consistency of enforcement/predictability of
outcomes?), that'd be great. Sorry for the tangent, but it's something I'm
curious about.

~~~
anigbrowl
I get where you're coming from, but I'm not willing to join you over there - I
honestly think your position is flawed and that programmers are terrible at
judging such issues.

 _I may just not be seeing the value in the judges ' attempts at finding
consistency, though, and I'm curious as to why they strive so hard for it
versus trying to find the correct interpretation._

This is very much an epistemological question. I'm personally a utilitarian
but as we are not granted with the gift of foresight I accept that we need to
work within an established framework (ie maintaining consistency with
precedent) because what is correct is not nearly as obvious as we would like
it to be (eg in this article I think the assumption of what user agent strings
are for is too pat by far). A good, accessible, and affordable book on this
subject is _Bad Acts and guilty Minds_ by Leo Katz - written by a law
professor but for a lay audience. I would be a good deal more utilitarian than
he is, but then I'd have approached the defense of Weev's case far differently
too.

~~~
ericd
Thanks for the suggestion, it's on its way to my Kindle for later.

------
PhasmaFelis
I'm still kind of boggled that they were unable to get Weev on criminal
harassment. Or anything else, for that matter, given that IIRC he had no
employment of record but was independently wealthy and bragged about doing
computer crime for cash. He absolutely belongs in prison; just not, perhaps,
for this specific charge.

~~~
thaumaturgy
> He absolutely belongs in prison...

I would like to see this rhetoric about Weev stop. People are allowing
themselves to be distracted by the character of the defendant rather than the
stupidity of the laws involved.

Whether or not he belongs in prison is completely irrelevant to the
conversation about the sentencing and laws and prosecutorial conduct involved.

Unless, of course, you want to defend bad laws so long as they apply to people
who are not you.

~~~
wavefunction
PhasmaFelis is being perfectly reasonable in noting that Weev's current
prosecution seems inappropriate and dangerously precedent setting, while still
noting that Weev is vile scum (by his own admissions) who should have instead
been prosecuted for other more real crimes.

~~~
thaumaturgy
But that's not relevant. At all. And, it weakens the criticism of the
prosecution: "I hate to defend this guy, _but_..."

It's akin to saying, "Alan Turing is gay, but he's done some good work in
cryptography anyway..." ... that example only seems ridiculous now because
social mores have changed.

Weev's character would have relevance in a discussion about whether or not he
deserves a Great Justice award, not whether or not the prosecution in this
case is just or not.

~~~
PhasmaFelis
It's relevant because I've seen more than a few people try to advance Weev as
some sort of Aaron Swartz-style culture hero. As a part of this culture, _I
don 't want that to happen_. I don't want anyone to ever cite Weev as a
personal inspiration, I don't want to see his name listed alongside people
like Swartz or Bradley as an innocent hacker victimized for trying to do the
right thing. If you want to use him as a test case for an unjust and poorly-
interpreted law, that's fine, but don't tell me that the discussion has never
been about whether Weev is a great guy, because I've seen it happen; and don't
try to tell me that the truth is not relevant.

Weev is proud of hurting innocent people. He brags about it. _He wants us to
know._ And I'm sure as hell not going to try to cover that up on his behalf,
or tolerate those who do.

------
meritt
I love how it's illegal to adjust part of URL but perfectly legal to wiretap,
decrypt personal communications and spy on billions of people.

~~~
shardling
This seems like one of those things people say to score points, rather than to
actually engage in the process of using their brains.

There are a myriad of things that are legal for the government to do that are
illegal for a common citizen. There's no irony in that.

~~~
Amadou
_There are a myriad of things that are legal for the government to do that are
illegal for a common citizen. There 's no irony in that._

If the government does not require a warrant to do something, then it should
be legal for anyone to do. After all, the entire purpose of a warrant is to
insure oversight in the use of government power.

~~~
azernik
The government doesn't require a warrant to take your property by taxation or
for eminent domain.

The government doesn't require a warrant to prevent people from entering or
leaving the country.

The government doesn't require a warrant to block off city streets or do any
of a number of things to public property.

The _only_ things that the Constitution requires the government to get a
warrant to do are "search and seizure", which are terms with very specific
meanings in the Common Law. The NSA somehow argues that intercepting people's
traffic isn't a "search" until an analyst actually looks at it, which I think
is a ridiculous argument; however, the response isn't "everything you do needs
a warrant", but "that's a search, and _searches_ need warrants".

~~~
Amadou
Your examples are just word games. The intent of a warrant is oversight, all
of those examples require oversight, some more so than others, but all of them
require some sort of accountability.

------
jhales
they returned the http code 200. that means good to go. there is another code
for access forbidden.

~~~
tptacek
Congratulations, you just immunized probably 1/3rd of all the SQL injection
exploiters on the Internet.

~~~
legutierr
I think there is a clear distinction that you can make between an SQL
injection attack and the unsecured API that weev accessed. SQL injection
attacks depend on inserting malicious code into an application in order to
traverse that application and access systems that stand behind it. The point
of SQL injection is to circumvent restricted permissions that the owner of the
server has attempted to impose.

What weev did was quite different in that he accessed this web service in
exactly the _way_ it was intended. Even if he was not the intended consumer of
this data, his attempted access never exceeded the defined and expected
parameters of the API he was accessing. Furthermore, he didn't _circumvent_
[1] any access restrictions; rather, access restrictions were never imposed.
weev had no information available to himself as to AT&T's intent to disclose
or not disclose customer emails; as far as he was concerned, the existence of
this API could have been a purposeful and not simply negligent disclosure on
the part of AT&T.

I think that the reason that the weev case rankles is that web developers do
this kind of thing all the time. What is the difference between what weev did
here and Padmapper did when it built a product on top of Craigslist's data?
Despite Eric DeMenthon's protests to the contrary, a strong argument to could
be made that Padmapper's intent was to cause severe commercial harm to
Craigslist, which is conceivably why he got sued. In spite of the civil case,
however, criminal charges are almost unthinkable.

Also, how often do we read about someone's project being hampered when a
private Google API is turned off? [2] Anyone that builds a commercial product
on top of something like this would be deemed a fool, but I've never seen
anyone accuse a developer who is using this kind of API of acting criminally.

What is the difference, under the law, between someone accessing a private
Google API and the private AT&T API that weev accessed? As a web developer
with zero documentation, zero information beyond simply knowledge of the API
URL's existence, there is no apparent difference beyond what content was being
served by these APIs. So, if that is the case, at what point should web
developers accessing undocumented APIs begin to be concerned about their
criminal liability?

[1] Shouldn't it be _circumvention_ not _authorization_ that that defines
criminal access under the law?

[2] Just the easiest-to-find example:
[https://news.ycombinator.com/item?id=4441677](https://news.ycombinator.com/item?id=4441677)

~~~
throwawaykf02
_> What weev did was quite different in that he accessed this web service in
exactly the way it was intended._

So is a thief who walks through a door carelessly left unlocked "accessing it
exactly in the way it was intended." It's what he does afterwards that makes
the difference.

 _> What is the difference, under the law, between someone accessing a private
Google API and the private AT&T API that weev accessed? As a web developer
with zero documentation, zero information beyond simply knowledge of the API
URL's existence, there is no apparent difference beyond what content was being
served by these APIs. So, if that is the case, at what point should web
developers accessing undocumented APIs begin to be concerned about their
criminal liability?_

When the content you get back from a URL is other people's private data, it
doesn't take a genius to figure out that maybe there's some criminal liability
there.

~~~
Dylan16807
>So is a thief who walks through a door carelessly left unlocked "accessing it
exactly in the way it was intended." It's what he does afterwards that makes
the difference.

If he takes some pictures and leaves he certainly isn't guilty of breaking and
entering.

------
pseingatl
The government would normally file an application for leave to file a brief in
excess of the appellate rules' word limit. U.S. federal courts normally grant
these applications when made by the government. When made by defendants in
criminal cases, it's much more of a maybe. However, courts as a rule do not
like verbose briefs.

On another note, it seems to me that in these computer cases the law really
doesn't care what's "under the hood." It doesn't matter if it's javascript or
java, or if maybe someone could have jumped on an open Wi-Fi network.

The law lives in a conservative analogue world and will continue to do so for
years to come.

------
walod
If you read the irc logs, weev and spitler's intent was obviously malicious. I
think many things in this case are true at the same time. Oversentencing and
prosecution yes, but how do you then prosecute someone like this? There was a
reason they included the irc logs in the prosecution, because the intent
counts, not just the physical actions by the accused.

~~~
lawnchair_larry
No, the logs were taken out of context. They have a "special" sense of humor,
but they didn't intend to actually do any of what was in the logs.

------
at-fates-hands
I'm wondering why he even appealed this. Seemed pretty straight forward what
he did. What exactly is he appealing on? He was only sentenced to 3 years.
He'd be out in less than 2 if he stays out of trouble. For a hacker, I'd say
he got off pretty light considering what others have gotten.

~~~
pseingatl
Not less than 2. There is no federal parole. You earn good time at the rate of
55 days per year. So the maximum "Weev" could earn is 165 days. He has already
been in seg once for rules violations so it's unlikely he would get the full
55 days, at least for this year.

He would be eligible for a halfway house; in his case that would be within
three months of his mandatory release date.

So in any case he is going to spend more than two years in a federal prison.
Doing time is not easy if you fight the prison system, and according to
reports this is what he has been doing.

His sentence also undoubtedly contained a supervised release provision. So if
he violates the conditions of his release (probably no computer use, that's a
standard one) he goes back inside for the duration of the supervised release
period.

Federal prison is no joke. There are very good reasons to appeal.

------
stretchwithme
Since when are you not allowed to type whatever web address you please in your
own browser?

Or the user agent? What if you're just curious if the app will even serve
another browser?

