
Aaron’s Law, much-needed reforms to computer crimes law, introduced in Congress - PiersonBro
http://arstechnica.com/tech-policy/2013/06/aarons-law-much-needed-reforms-to-computer-crimes-law-introduced-in-congress/
======
aston
These changes seem like an excellent step. But it's worth noting that even
under the new proposal Aaron would have likely run afoul of the "access
without authorization" component. I'm also not sure the new language around
repeat offenders would have made a difference given the plea bargain, but I
could imagine it would have made the maximum sentence sound less scary.

In addition to the two changes listed by Ars Technica, there's another tweak
making it clear that the court should consider the "fair market" value of the
information, which I guess for JSTOR would have still looked quite high.

~~~
MWil
I've argued till I've become blue in the face about this and I guess I'm a
glutton for punishment so I'll ask it again: exactly where in the facts do you
think authorization was missing?

MIT allows a level of access on it's networks that people not on MIT have
trouble understanding, it's not what you or I (assuming you're not from MIT)
would think of on other campuses and certainly not in the private sector

Second, you can't have your cake and eat it too. You can't have an unusually
open access system in place, one that allows any and all visitors to come on
with any email they wish, but then think that blocking an IP means you can
call it a day, authorization over. That makes no sense. If he uses a new
address, he gets authorization again. If he gets a new MAC address he gets
authorization again. Sadly, I think for MIT to remove authorization they would
have to be less open, they would have to actually change policies for signing
up to campus networks.

And don't get me started on the unlocked, well grafitti'd closet...

~~~
rayiner
> Second, you can't have your cake and eat it too. You can't have an unusually
> open access system in place, one that allows any and all visitors to come on
> with any email they wish, but then think that blocking an IP means you can
> call it a day, authorization over.

When it's their private property, they _can_ have their cake and eat it too. I
can let everyone in town into my living room but capriciously disallow you one
day because I realize you have attached earlobes. That's just how license
works.

The only consideration is notice. Does blocking a MAC address reasonably
signal to the user that their consent was revoked, either objectively or in
actual fact? I think you'd have a hard time arguing that Aaron, being very
technically savvy, didn't realize that MIT was trying to kick him off its
network.

~~~
wisty
> When it's their private property, they can have their cake and eat it too. I
> can let everyone in town into my living room but capriciously disallow you
> one day because I realize you have attached earlobes. That's just how
> license works.

And if I come back wearing prosthetic ears, is that a felony?

~~~
raldi
It is if you then sneak into his closet and start tampering with the wiring.

------
tptacek
The timing here is not great, is it?

(I think the law is a step forward, though I don't think it does enough to
mitigate the real problem with CFAA, which is that sentences under CFAA scale
with dollar damages. The bit about making it harder to "accelerate" CFAA
crimes when they're done in furtherance of crimes that are also CFAA crimes is
also very important, but doesn't address the core flaw of the statute.)

------
hispeedencrypt
Have you stopped to think about the fact of enforcing the CFAA so harshly
against private citizens (e.g. downloading too many JSTOR articles), while
their government boasts about hacking into the critical network infrastructure
of other countries? Something doesn't seem right. Wild west, but global, I
guess.

~~~
rayiner
> Wild west, but global, I guess.

Yes, "international law" is a fiction and rightly so.

------
monochromatic
Yet again, a bill named after a person turns out to be poorly drafted
pandering.

------
a_soncodi
I recall a past comment on HN claiming that altering URLs to discover content
may constitute hacking. For example,

    
    
      http://site.com/posts/img.jpg
      http://site.com/posts/img_t.jpg
    

In the first paragraph of the article:

> The proposed definition … is to obtain information … by knowingly
> circumventing technological or physical measures designed to prevent
> unauthorized individuals from obtaining that information.

suggests that, in that context, the debate would be whether a certain URL
structure implies a legitimate attempt at securing content, rather than just
being a side-effect of website structure/design.

Would it be unreasonable to argue that blatant disregard for security due-
dilligence or just 'bad' security is not an honest attempt at the same, and
thus equivalent to no security at all?

------
Goladus
I thought the primary problem with Swartz's case was an overzealous US
attorney pursuing prosecution far beyond any legitimate state interest.

~~~
hkmurakami
laws that can be used to pursue such zealotry didn't help either

