
Man Convicted of Hacking Despite Not Hacking - eplanit
http://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hacking/?buffer_share=7c9de&utm_source=buffer&utm_medium=linkedin&utm_campaign=Buffer%253A%252BYaniv%2520Capeluto%2520%2528Kapluto%2529%252Bon%252Blinkedin
======
wvenable
The problem is that "hacking" is crime with disproportionate penalties. The
consequence is that prosecutors would rather charge and convict someone (who
didn't touch a computer) for hacking than for fraud.

------
spoiledtechie
This sort of Brings back to light Aaron. Can someone please update me on what
if any progress has been made to make sure this doesn't happen again?

Has his cause and actions just sort of belly flopped and gone no where or have
we seen something meaningful come from the tragic loss?

------
yoster
Like the old saying goes, Don't do the crime if you can't do the time....

------
tantalor
I don't see what the big deal is. If you pay somebody to commit a crime (e.g.,
murder), you may be prosecuted for the crime itself.

~~~
betterunix
Four of the six charges were related to accessing a computer. In this case,
that amounted to logging in and downloading files.

~~~
mpyne
And yet the trade secret charge had the harshest penalty, and the conspiracy
charge was tied for second-harshest. Maybe the Federal Sentencing Guidelines
count the number of charges convicted on but it's hard to claim that the CFAA
is the only or predominant reason Nosal will be facing jail time in this
particular case.

------
snake_plissken
Ok, exactly what did he do that is illegal: He paid another company's
employees to get information from said company's database, and that these
employees accessed the data by using some other employee's login credentials
without permission?

~~~
mpyne
Well, "industrial espionage" actually _is_ a crime since 1996, no matter what
tools you use to do it (and notably, has the harshest sentence of the 3 major
types of crimes Nosal was charged with).

Unauthorized access to a computer network was made to help complete the crime,
which is itself criminal, just like there is a charge "mail fraud" that makes
use of the postal system to further _any_ criminal act illegal.

Conspiracy is always illegal itself as well.

~~~
snake_plissken
thank you. i couldn't recall the exact words, but yeah this is classic
industrial espionage

------
rayiner
A more fact-based article:
[http://7thspace.com/headlines/436581/executive_recruiter_dav...](http://7thspace.com/headlines/436581/executive_recruiter_david_nosal_convicted_of_computer_intrusion_and_trade_secret_charges.html).

~~~
betterunix
What's your point? Had he walked away with a paper copy of the data in
question, more than half those charges would not exist. The issue here is that
"involving a computer" has become an excuse for harsher sentencing and greater
power for police and prosecutors. Driving that is a law that is so broad that
nearly anyone with computer access could be accused of violating it (in other
words, the majority of Americans).

~~~
rayiner
The point is that Wired's egregiously shitty journalism isn't doing anybody
any favors when it comes to mustering up legitimate opposition to the CFAA. If
I opposed the CFAA in its present incarnation (which I do), I'd be embarassed
to be associated with Wired's coverage. If I were a friend of Aaron Swartz,
I'd be offended at Wired's repeated attempts to compare guys with malicious
intent like this guy and the Watts guy in an article earlier this week to
Aaron.

~~~
betterunix
First of all, Watt did not have any malicious intent -- he wrote a packet
sniffing program and gave it to a friend, and did not participate in nor
benefit from his friend's crime.

Really, I am not seeing what your issue is with the comparison between the
three cases. In all three cases, men faced charges of CFAA violations that
were completely inappropriate. In all three cases, the CFAA charges were used
for no reason other than to pressure the defendant.

You are doing a disservice to those who are trying to fix the problems with
the CFAA by suggesting that there is any legitimacy to the application of that
law in this case.

~~~
rayiner
> First of all, Watt did not have any malicious intent -- he wrote a packet
> sniffing program and gave it to a friend, and did not participate in nor
> benefit from his friend's crime.

The jury concluded based on the evidence that he knew that his friend intended
to use it to commit a crime. Knowledge and concious disregard for the fact
that your work is being used to commit a crime is indeed malicious intent.

> Really, I am not seeing what your issue is with the comparison between the
> three cases. In all three cases, men faced charges of CFAA violations that
> were completely inappropriate.

In two of the cases, the men were directly involved in the commission of a
computer-related crime and acted maliciously. If you're trying to show the
injustices of a law, it's generally a good idea to find sympathetic defendants
rather than criminals or their accomplices.

~~~
betterunix
"Knowledge and concious disregard for the fact that your work is being used to
commit a crime is indeed malicious intent."

Cryptographers beware...

"computer-related crime"

Except that "computer-related crime" has come to mean "any crime in which a
computer is used." As more and more things become computerized, more and more
crimes will be "computer-related." Eventually everyone who is accused of a
crime will also be accused of a CFAA violation, which will weaken everyone's
defense.

"If you're trying to show the injustices of a law, it's generally a good idea
to find sympathetic defendants rather than criminals or their accomplices"

Henry Louis Mencken addressed this more eloquently than I can:

"The trouble with fighting for human freedom is that one spends most of one's
time defending scoundrels. For it is against scoundrels that oppressive laws
are first aimed, and oppression must be stopped at the beginning if it is to
be stopped at all."

~~~
mpyne
Just as there is a difference between making guns in general, and making a
specific gun for a friend who has indicated that he will use it for a specific
crime, there is a difference between making programs which can be used in
crimes in general and making specific programs to aid and abet specific future
crimes.

Your point about computer crimes becoming more prevalent is certainly
justification to alter legislation dealing with computer crimes so that minor
infractions have minor penalties, but I never saw rayiner arguing to the
contrary.

------
tptacek
He wasn't convicted of "hacking". He was convicted of fraud, under a law that
makes it easier to prosecute fraud when it involves a computer. I haven't read
any of the case filings, but Wired's own attempt at a charitable description
of the events sure sounds like fraud to me.

From the source 'rayiner provided:

    
    
        Evidence at trial showed that Nosal, 55, of Danville, entered into an
        agreement with other Korn/Ferry employees in 2004 to take confidential
        and proprietary materials from Korn/Ferry’s computer system to be used
        in a new business that Nosal intended to establish with those
        individuals after he left Korn/Ferry’s employment in late 2004. The
        evidence showed that two of those employees downloaded large numbers
        of “source lists” (essentially, targeted lists of candidates developed
        by Korn/Ferry for the purpose of filling particular positions at
        particular client-companies) prior to their own departures from
        Korn/Ferry. Thereafter, those two employees used the Korn/Ferry login
        credentials of another conspirator who was still employed at
        Korn/Ferry to download additional source lists and other information
        from Korn/Ferry’s computer system in April and July 2005 for use in
        Nosal’s new business. The trial in this case occurred after remand
        from the Ninth Circuit Court of Appeals, which had affirmed
        then-District Court Judge Marilyn H Patel’s pre-trial dismissal of
        several computer intrusion counts.
    

The CFAA is a hugely problematic law. But I'm not a fan of manipulative news
stories either.

~~~
btilly
There have been rules and lawsuits around former employees stealing their
employer's list of clients for ages.

The fact that said lists are now stored in a computer rather than in a rolodex
or filing system should not suddenly increase the potential penalties
manyfold.

I also don't see why the federal government is prosecuting what I see as a
civil dispute between two private parties.

~~~
danielweber
If I fire someone, and they come back into the office afterwards at night to
do whatever, is that still "a civil dispute between two private parties"?

~~~
btilly
You make a good point. There is clearly theft of proprietary information.
(Though the guy who got convicted didn't do the stealing.)

But I reiterate. The fact that the information was stored on a computer
shouldn't trigger massively bigger penalties. Everything is stored on
computers these days!

~~~
anigbrowl
OK, so would you be OK with it if unauthorized access to a computer system (eg
an ex-employers or some other case where _the lack of authorization is clear
and criminal intent is present_ ) resulted in a charge of burglary?

~~~
etvmueller
The problem is that there is already a well developed set of laws to govern
human interactions with each other and with the environment. This is like the
broken patent system: it's something that has been done for 40 years, except
on a computer! We do not need a patent for that, and we do not need a new law
for stealing information on a computer. We already have laws for theft.

~~~
tptacek
The problem the authors of CFAA faced when the law was written is that this is
actually not the case. Existing laws regarding e.g. burglary did not cleanly
apply to computer crimes.

I think there are probably cases that do a better job showcasing the need for
computer-specific crime laws, and crimes that do a worse job at that. Basic
wire fraud cases don't really need CFAA from what I can tell, and CFAA serves
primarily as a sentence accelerant in them. But in other cases, particularly
where people cause damage but don't reap profits, the need for specific laws
is clearer.

~~~
etvmueller
Was it really the case that someone could steal information from a computer
and not be charged with a crime, or indicted by a grand jury and then
successfully prosecuted under existing law, and that until recently, when
information was stolen from a computer, that was not a crime?

~~~
anigbrowl
It would be an awful lot easier to argue that. I'd need to go back and look up
a bunch of cases which I don't feel like doing at present because it would be
a large research project, but absent any specific computer-crime laws I'd
argue that because a computer is a digital system and a digital system is just
a complex agglomeration of switches, there's no qualitative difference between
accessing a computer system and turning a light switch on and off. You'd never
convict someone of a crime for turning a light switch on and off; if they
entered your office at night to do so that would just be trespass rather than
burglary. So how is operating a computer all that different? You're just
opening and closing a few million different circuits. Sure, you could _say_ my
client illegally obtained information by doing so, but where is this
information? Can you produce it in evidence? If you can't do so without
printing it out, and you can't show that my client printed it out, where is
the crime? Etc. etc. Likewise I could argue that no fraud has taken place
because fraud involves a deception, a deception involves a deceiver and a
deceived, and computers are not sapient, therefore they're not capable of
being deceived. Defeating a login system isn't a case of deception because
administrator of said system was not consulted for permission; arguably he
automated away his duty of granting or withholding access and the defendant
should not be blamed for the inadequacy of that automated process.

Sure, these are bullshit arguments, but the point is that our legal system
works on a rough mix of common sense and code. If I can find an exploitable
ambiguity in statute or precedent and apply it to a defendant's case, then
it's like an exploit in which throwing an exception is equivalent to a trial
resulting in an acquittal. we have laws defining what a computer system is and
what constitutes access to one etc. precisely because the virtualized nature
of digital information makes it tricky to apply laws that were drafted to deal
with theft of physical property.

~~~
etvmueller
Is the intent of existing law considered as part of the concept of common law?
Would the average member of the jury really not understand this? Why couldn't
a prosecutor receive an indictment and then argue this before a court and jury
and thereby develop the methodology to approach this problem. This process may
require several cases but wouldn't that be preferable to have jurists extend
common law rather than have legislators parachute in new laws that obviously
have problems?

~~~
anigbrowl
Those are _very_ good questions: the fact is that there is a huge amount of
tension between the judicial and legislative branches, and within the judicial
branch itself, about there the boundary between jduges' interpretation and
reaasonable interpolation of teh law, and the text of statute as written.
Conservative jurists like Justice Antonin Scalia think you should always go by
the text of the law, and that it's dead wrong to consider legislative intent,
no matter how obvious or well-documented it is/was; this approach (known as
textualism) holds that if a law is no good, the correct remedy is for Congress
to rewrite it. Judges should only dismiss a law as unconstitutional or go
around it in cases where there is a clear and unambigious conflict between the
Constitution and the statute. Other jurists, such as Justice Stephen Breyer,
look at the Constitution as more of a framework document and think that you
absolutely need to examine laws within the context in which they were passed
and in the light of which problem they're intended to solve.

This is a very gnarly question, with good arguments on both sides - but in
addition, there's a lot of unstated political baggage tied to both sides of
the argument, so that what is on the surface a question of legal philosophy is
on closer examination rooted in quite different philosophies of governance.

Now myself, I like the common-law approach and I would prefer a general class
of crimes and that the details of individual cases be taken up by wise
jurists. On the other hand, it's not a foregone conclusion that all judges are
wise or selfless, and of course there might be judges who are both but who
would come to quite different conclusions from me because they operate on a
different moral calculus. So for the sake of consistency and predictability,
there's a strong argument to have laws debated and promulgated by legislators
rather than judges, so that anyone can do and look them up for guidance about
what is and is not legal. Of course that involves some idealistic assumptions
about legislators...

If you like high-density reading material, I strongly recommend _How Judges
Think_ by Judge Richard Posner.

