Would Aaron's Law have helped Aaron? Both Orin Kerr and Jennifer Granick have said that his actions in evading filtering and shutoffs on MIT's networks would have created a plausible argument for the prosecution that he had been evading specific code-based authorization mechanisms and would have known his access was unauthorized.
If you read Reason, you're immediately suspicious of laws with people's names on them; they're often more about PR than about well-thought-out policy changes.
Granick makes pretty good arguments that it's the sentencing structure of CFAA that creates the largest problems (a low evidentiary standard for establishing damages, not to mention the ridiculousness of criminal sentences that scale with the number of documents you download). But more importantly, prosecutorial misconduct is at the heart of this case. Surely we're going to do something about that, right?
Obviously, I don't think TOS violations should be felonies, for whatever that's worth. Lessig, on Reddit, says it's critically important.
I read the Granick piece. One thing that strikes me as completely absurd is that the plea deal is for a substantially lower sentence and that if the plea deal is rejected the prosecution will go for a much higher punishment, sometimes as much as 10 times as much as offered in the deal. It would seem to me that if you offer a guilty plea that is 10% of what you intend to seek that if such an offer is on the record that a small multiple of that (say twice as much) should become the new maximum sentence. It's utterly frivolous to mess around with 90% or more of a sentence just to put pressure on people, that's poker table tactics and we're dealing with people's lives here.
The most worrying bit is the part where she says that people will plead guilty to things they did not actually do just to not have the chance at a much worse sentence during a trial stacked against them. This is not about justice at all, it's just a numbers game.
For reference, here in the UK people (typically) get 33% off their sentence if they plead guilty. There was a push in 2011 to make it 50%, but that was rejected.
However the people being prosecuted don't know in advance what sentence they will receive exactly. Sentencing is carried out after the verdict (sometime quite a while after if "pre-sentence reports" need to be compiled). There are sentencing guidelines, so they have a reasonable idea or starting point, but there is much variation in these due to many different mitigation or aggravating factors.
Particularly at the "low" end, a person may not know whether they will be getting 33% off a community order or 33% off a jail sentence.
Still, there are very, very few occasions where it is reported that innocent people plead guilty due to the reduction in risk. That may also be due to the reasonable lengths of the starting sentences.
The majority that go through the courts, that is those who are actually guilty, plead guilty. They get a small "reward" for not tying up the courts unnecessarily.
My personal opinion is that in an ideal world we wouldn't offer any plea deals, but we don't live in that world. Yet.
No. It's not a deal thats "made" per-se, there are no conditions to be haggled over, its simply that Judges will automatically award the reduced penalty at the sentencing stage if the defendant pleads guilty.
> The prosecutor claimed to be planning to press for about 12-14x the plea offer.
Is that better? There comes a point where it doesn't make a difference anymore.
Ever see a sale like that? Where one day something costs 10 bucks and then the next day it's 170? Me neither. That's not a deal. It's blackmail. Do what we want or we'll do our best to destroy your whole life. Justice, eh?
We'll let you off the hook if you pay us $200 of the $2000 that you may or may not actually owe us. And just in case you've missed it, there are four snipers at the top of the roof. I don't know what they're doing there, but thought you might wanna know.
hm. Well, if we allow a volunteer to stop volunteering at any point, this necessitates that the actual inmate remains in jail (concurrently) until the original sentence is completely fulfilled. So a 20 year gangbanger rap might turn into 4 5-year sentences. Or 20 1-year sentences. But the latter might be foolish, as the gang would lose power if most members were out of the game.
Just was trying to think of ways for 'social proof' that certain sentences were outrageous and ridiculous (beyond juries, since their "peer" requirement has been effectively destroyed in today's specialization-based society).
I've spent some time thinking about this myself, and about time vs money tradeoffs. Depends on what you think prison is for. If it's rehab, rehabbing a group of friends doesn't seem to work. If it's a safe place to keep bad people, you're not keeping them there. If it's about punishment, then maybe.
But prison sucks not just because you have to eat crappy food. It's because you have to eat crappy food everyday. If a rotating crew each serves one day, what's that? I can go a day without eating. This is a sum of the parts less than the whole situation. And the key is that people in jail aren't free to pick their schedule. You don't get to swap out with a buddy so you can attend your sister's wedding. If you're stuck in a shitty place unless you get someone to cover your shift, you're not in prison. You're working at walmart.
Incidentally, I've read that hiring prison doubles is a thing in China. It's illegal, so you're effectively under house arrest for the duration to avoid detection, but you're also not in prison. The guy you hired to show up and say your name is.
If a sentence is outrageous, you get a crowd of people to march around and protest until the governor or president grants a pardon. That's the existing process to deal with exceptional circumstances.
> rehabbing a group of friends doesn't seem to work
And if it were gangsters, it seems like it would have the opposite effect. Three square meals a day and some downtime to plan your next misdeed. And heck, the same goes for activists actually. So there would have to be no personal contact. Not that the US prison system is in any way about rehab.
> If it's a safe place to keep bad people, you're not keeping them there ... This is a sum of the parts less than the whole situation
Well presumably only other bad people sign up to help out bad people, and the idea would be that only with enough support, the sum of the parts would indeed be reduced. Trying to gauge my own utility function, it feels that sentences from between 3 months to 2 years would have corresponding increasing harshness on life-as-I-know-it. Under and it's a vacation, over and my present existence is basically completely gone. Of course those with a different uh, world view, would have a wildly different utility function.
OTOH this is clearly not a DIY avenue, and if that political will were actually available, instead of further codifying the prison industry why not just actually fix the damned legal system instead - vague laws, prosecutorial overreach, understandable due process, right to representation, broken sentencing, etc.
I really like your idea of "pricing" using multiples of the prison sentence if plea bargain isn't accepted. This forces market dynamics that the prosecution much consider. I don'w know if 2x, 1.5x or 3x is the right amount, but whatever the multiple, the prosecution knows that the accused is actually weighing the benefits based on the fact that they know they are innocent or guilty instead of treating their awareness of their own guilt as irrelevant, which is something a 10x multiple does.
At 10x, knowing that you are innocent is completely irrelevant to the issue at hand and it simply becomes a choice between the lesser of two evils, because a good is not a realistic option.
This. The law should be rewritten to prohibit prosecutors from entering into plea deals of less than X% of the maximum sentence they are prosecuting someone for, with the exception of plea/immunity deals that include providing incriminating evidence in another case or against another person. Not sure what X% should really be, but it should be sufficiently high as to prevent prosecutors from using the large delta between plea and conviction sentences as leverage. My initial thought would be 50%.
I think I got your point. I just approached the problem from the other side. I think limiting a prosecutor's ability to bargain would be easier from a legislative standpoint than getting involved in sentencing, and more effective since the sentence asked by the prosecution is really just a recommendation. Either way, the important part is ratio of sentence to plea bargain, if I understood you correctly.
Prosecutors will go for very low plea bargains if their case is shaky, with huge penalties for not accepting the plea, so many shaky cases never make it to trial. By reversing the situation you end up with half of the maximum rather than maybe 10% of it, in effect most plea offers would increase rather than stay at their current level and many more cases would have to be tried.
I think that the idea here is to prevent prosecutors from charging people when they only have a really shaky case then using the leverage of a small plea to force people into pleading guilty. If prosecutors don't want to lose cases, and they can't force people to accept really low pleas then they would have to stop trying to get people on really shaky cases.
There may be a problem, no matter which side you approach it from.
Suppose the prosecution makes an offer, they're willing to go lower, but only if they think the defense will accept. The defense then rejects the offer, perhaps with the implication they might accept a lower offer. If a lower offer is made, the defense can reject it but now they have less risk—since the offer was made the prosecution is bound to x% beyond that.
Some people might view that as gaming the system and I'm not sure it could be tuned to avoid that. On the other hand it might improve honesty on both sides of the table. The ratchet effect may keep the defense from being intimidated. The net effect should promote not guilty pleas among the innocent, but ideally it should not have that effect on the guilty.
Re: his actions in evading filtering and shutoffs on MIT's networks
Have you seen any halfway credible summary on what he did? I'll probably read the formal indictment eventually, but I'm not expecting a real balanced presentation. To be clear: just asking if anyone has a good hyperlink.
For example, I'd like to know what did he do on the Wifi other than change his MAC address?
It's said he "broke into" the wiring closet. Did he use an axe? Pick the lock? Was it unlocked? Once in, did he simply plug in to the Ethernet like any good network citizen would do (to avoid hogging the Wifi).
Once on the network, did he root boxes or simply request documents that the server was happy to give him?
This blog describes a scenario in which JSTOR blocked Aaron's IP, then MIT blocked his MAC address, then JSTOR blocked an MIT IP range after he kept circumventing their attempts to cut him off. Ultimately, "Swartz broke into a closet in the basement of a building at MIT and connected his computer directly to the network — hiding his computer under a box so no one would see it."
It's worth noting that Prof. Kerr stated that he used the indictment as a significant source of the facts in his legal analysis. I would be inclined to trust it a lot less as an account of what actually happened than for the analysis of what the law says given the facts he describes.
I wouldn't have thought that hiding his face with a bike helmet would have mattered. After all, I do weird things any time I know I'm being watched by a camera; there's one on the elevator at the garage that I habitually cover.
No, I hadn't. It's your emphasis and attitude that come across as completely different. I kept trying to tell ya, the legal machine looks a lot different when you examine it as if you're the one at odds with it.
By abusing computer fraud laws to needlessly persecute Aaron Swartz, these Boston prosecutors have done grave damage to the entirely legitimate enterprise of having the state help protect individuals and businesses from criminals who can and do hire out superior security talent. Look at HN over the last two days: anyone who's ever been convicted of a computer crime, even if that crime involved the mass theft and subsequent resale of credit cards, is a newly minted hero of the cause of openness. That's Boston's doing.
The law cannot hope to capture every possible nuance of all conceivable offenses. As every lawyer who's ever argued with a Hacker on HN has pointed out, the law is not a programming language and courts aren't computer architectures. We want our rules, laws, and metalaws to provide every protection to the accused that they reasonably can, but at some point it's always going to come down to the discretion of humans appointed to positions of authority. Those authorities need to be equal to the task, or we delegitimize the whole effort.
I'm sad about what happened to Aaron. I look at the photos of him in his teens hanging out with Dave Winer and Lawrence Lessig; he was a small kid, and I have a big 13 year old. I exchanged an email or two with him, but my wife didn't know him at all and she's upset, as I would assume any parent reading about this would be. And obviously in light of what happened, I'm a little harsh on how I interacted with Aaron online --- not on the prosecution threads, but you know, on threads about "hollywood launches" and stuff like that.
But beyond that, what happened offends me in principle. If they're not the exact same principles that you've had offended, that doesn't matter much, does it? The justice system seems to have achieved a pretty high level of coverage in offended principles.
> anyone who's ever been convicted of a computer crime, even if that crime involved the mass theft and subsequent resale of credit cards, is a newly minted hero of the cause of openness
Specifics? I don't recall seeing this, but maybe I'm just unobservant.
> The law cannot hope to capture every possible nuance of all conceivable offenses
On the other hand, the point of having the law instead of The Decider is that acceptability of a particular behavior can be reasonably foreseen. And for the long standing laws most everybody now thinks of as self-evident (murder,rape,robbery,etc), this is basically the case. But the problem with many newer widely-scoped laws, especially federal ones, is that they're highly vague and allow so much leeway, the question becomes quite unanswerable. Are these vague laws primarily used to punish bona fide criminals? Yes. But when we fail to examine the law for what it conceivably could do and instead take comfort in what it usually does, when we fail to stand up for injustices against people who are ultimately not very nice, we set ourselves up for exactly what happened here - a grave injustice against an unlucky blatantly-undeserving target. It's simply the only thing remaining that provides any check on the expedience of the Deciders.
I unfortunately never interacted with Aaron. I identify with a lot of his optimism, even while feeling older than his naivety. I think we've probably had similar principles offended in this case. It just took a tangible incident with high wtf-levels to offend yours, where as mine go off for hypothetical possibilities and run-of-the-mill wtf-levels.
> I'm a little harsh on how I interacted with Aaron online --- not on the prosecution threads, but you know, on threads about "hollywood launches" and stuff like that.
Those prosecution threads should give you pause just the same, and Aaron is absolutely not the only person that you've acted like that with. I respect you tremendously for your technical knowledge, but for someone who reminds people to 'stay classy' and who claims the moral high ground with some regularity a bit of introspection wouldn't hurt. I'd respect you a lot more still. I'm very happy to see you come around in your way of thinking about this particular case though.
You're definitely the same Jacques I remember. I haven't come around on this case; I have the same opinion of it I always had. Like Aaron's own lawyer, I was confident he was at no real risk of serving time --- first time offender, no commercial purpose, no co-conspirators, minimal attempt to hide, no damage. It was hard to fathom that he'd do worse than credit card thieves. Unlike his lawyer, who was privy to all sorts of facts neither you nor I had, I was unaware of the psychological games the prosecution was playing. Have you noticed how shocked everyone is at what happened? That's because what happened was shocking. I think what Aaron did was wrong, but like I said at the time, I was hoping he'd do well at trial.
I definitely don't think of myself as any classier than you; I think we occupy opposite poles of some deranged message board energy sphere. Or you're the heat miser and I'm the cold miser. Either way, I can spot a dumb argument as quickly as you can, and just because I'm imperfect doesn't mean I'm not going to point them out.
> I haven't come around on this case; I have the same opinion of it I always had.
I'll take your word for it but I'm getting a different impression.
Aaron was fairly clearly being made an example out of, and I think that after the expansion of the indictment (http://news.ycombinator.com/item?id=4528083, a thread in which you commented, and which came before the thread about Aarons friends setting up a defence fund) that would have been pretty obvious even to those not already of that opinion.
Maybe I'm slightly more sensitive to this stuff because of some of the things that happened in the wake of reocities.com but let's just say that if Aaron had charges worth a few decades thrown at him for TOS violations and unauthorized access I should probably be in jail for at least several decades because of that little gig.
I know everybody is shocked at what happened, but I'm far more shocked at Aarons' suicide than at the travesty of justice perpetrated there, there are lots more examples of such things happening on a daily basis.
I think my mentality about the law is different enough from the one that prevails on HN that I appear much more conservative or authoritarian than I am. I say something anti-authoritarian and I sound like I've done a 180.
We should stop talking about us, or at least, about me. This isn't about me/us.
Burglary (entry for the purposes of committing an offense) is broken down into three sub-categories: forcible entry, unlawful entry where no force is used, and attempted forcible entry. It doesn't matter if you use a tank or a paperclip, or even if you're successful.
You're not the first person to think up the "but it wasn't locked (very well)!" defense. :)
Of course, but then we ought to apply reasonable standards of trespass before we can talk of federal-level "breaking and entering". He was present as a guest on MIT campus and the trespassing charges had even been dropped.
Show me a university campus where the students don't poke around in unlocked basements and closets and I'll show you a worthless university.
Entering a wiring closet with a lawful excuse is permitted. You genuinely thought it was the door to the bathroom, or smelled smoke.
Entering a wiring closet with lawful intent but not a lawful excuse is trespass. For example someone left a light on and you wanted to turn it off. The property owner can generally have you removed and file a civil case.
Entering a wiring closet with unlawful intent is a crime. For example your MAC address has been blocked from the wireless network and you intend to plug in to avoid that block.
So hopefully it makes sense now. They can't just charge him for breaking into the closet (unless he did property damage), but they can charge him in addition to another crime (and you can argue till your blue in the face if THAT was a crime, I don't have an opinion). Its like the magical "with intent to distribute" if you cut up your drugs into lots of little baggies.
(IANAL, but I did have one explain this stuff to me years ago in relation to an employee termination)
He wasn't charged with breaking & entering. The fact of his "breaking in" to the wiring closet was used to establish his intent and understanding that his actions were unauthorized. It's part of a pattern of facts that established the elements required to charge him with fraud.
Lots of places are unlocked that you're still not supposed to go into. How hard it is to get into somewhere you're not supposed to go is completely irrelevant, as is how hard you have to work to evade someone trying to get you off their network.
MIT has a pretty open unofficial policy when it comes to trespassing, as one would expect from any school with a dominant hacker culture. People used to go into network closets, pick locks, go into maintenance tunnels, etc. There's a very visible/popular student club on campus devoted to this.
Which is something that apparently shocked Swartz. In fact, whatever the administration at MIT may have felt at the time, Swartz wasn't violating the community norms as I understood them. Maybe there's something sacred about wiring closets at MIT, but every other place there seems to be a hobbyist lockpicking playground.
This is obviously a situation where the community norms of MIT have collided painfully with the policies of its administration. Swartz thought the norms would be controlling; he miscalculated: it was the policies that mattered.
Is there any evidence that MIT's 'policies' were anything other than made up on the spot?
As far as I can tell it looks like "OMG! The attacker has changed his MAC address! We don't know how to stop him! He's stealing all the priceless research papers...call the DHS cyber-espionage defense unit for help! the packets are coming from INSIDE THE WIRING CLOSET!!"
The validity of this bill, of course, has nothing whatever to do with its name. That's self-evident. So we should evaluate it on its merits, even if there may be a demonstrable tendency in the past for bills with sensationalistic names to lack substance.
But it would help others. It is a step in the right direction. I support it.
Seriously, how does that even make sense? The idea of a sentence that is accelerated if it's your Nth offense makes sense. A sentence accelerated by malicious destruction (of any sort) makes sense. Accelerate if done for commercial gain. Accelerate for deliberately obstructing investigations. Accelerate for being the ringleader of a conspiracy.
But a sentencing structure that says "fuck it, all we have to go on is damages, so go make up a plausible story and we'll use that to figure out where on the X axis of this spreadsheet you figure out" --- and "plausible story" is exactly the term when you learn about the burden of proof here --- it makes no sense at all. The same mindset, intent, and actions can't generate radically different outcomes based on how many iterations a for() loop makes before you get caught.
Well, it's a problem with sentencing in general. If you have $2m and I steal $1m from your safe, it's judged a much worse crime than if you have $200 and I steal all of it, even though the outcome for you is a lot worse in the second case. Ideally the imposition would be quantified in terms of the marginal cost to the injured party, but then there's another economic theory that says we have to multiply that by the probability of capture in order to achieve deterrence by means of a criminal's indifference curve.
And at that, we're not even committed to any kind of intellectual theory of sentencing int eh first place - some lawmakers thinks sentencing is a punitive matter, some rehabilitative, and so on. Gestural politics are the norm in American criminal justice; which goes some way to explaining how we only recently had mandatory minimum sentences recognized as unconstitutional, and how the crack/cocaine disparity was addressed even more recently, despite its blatantly obvious unfairness.
I don't think legislation will go anywhere, since the house GOP will probably sink it in the name of personal responsibility.
Sure, the legislation won't go anywhere if you go out of your way to make it seem like a one-party issue.
Some of us have been reaching out to our GOP representatives, especially those who've expressed prior concerns about prosecutorial abuse of power. I see Darrell Issa - on the Oversight Committee, and hardly a liberal - has already agreed to look into the appropriateness of Aaron's prosecutors' behavior.
It's really not that hard to tie the type of bullying Aaron went through to the bullying suffered by more GOP-friendly victims like the Reese family out in New Mexico. You can wrap it all up in a nice bow of Fast & Furious. If you want the House GOP to pass this legislation, why don't you do your part and reach out?
I agree completely - but it's a good step in the right direction. I didn't mention it in the letters I've already written, because I didn't know about it, but I'll certainly be working it into the letters I haven't written yet.
It's a hack to make it easier to put major drug distributors, commercial piracy operations, etc, away for longer sentences on the assumption that if you're downloading a million documents, you must be engaged in some large criminal enterprise.
Really, no crime needs more than a few degrees (it's good enough for murder, after all). Even things like aggravating factors can be used pretty unfairly.
This goes even further: if one was to carry drugs in a ziplock bag (or whatever else they're carried in, I am probably one of the few people on HN who doesn't know), when calculating the charges, it's not uncommon for the weight of a ziplock bag to be added to the weight of whatever is in it. God help someone who decides to stash the drugs away inside their spare wheel in their car.
Angry nerds is a force we can use for good -- reforming CFAA os probably useful on its own merits (I fully support this legislation), but majority of people being judicially bullied into unreasonable plea bargains (or worse, manifestation of physical or mental illness such as suicide and heart attacks) are not being charged under CFAA.
Legislating against what you term "prosecutorial misconduct" is far fetched. Can you imagine how you would word that legislation without hampering law enforcement efforts against the real bad guys? Do you really want that?
Having the law named after Aaron would be more than symbolic, it would be a perpetual reminder that overreach against programmers who in general want to make the world a better place can result in massive civil outcry, and to a large extent address your concerns too.
Do I want a better sentencing system for computer fraud, so that it remains possible for companies to defend themselves without needing to spend hundreds of thousands of dollars every quarter finding every conceivable loophole an attacker might exploit, while not leading to a situation where simply using a computer turns a simple offense into a 6 year prison sentence?
Yes, that is what I want, and I don't think it's too much to ask for.
After I wrote the comment above, I worried that it would read as a contrarian barb at any attempt to move forward with better computer crime laws. I don't mean it that way, which is why I went back and pointed out that Lessig thinks it's "critically important". But I meant my first question as I wrote it: would Aaron's Law really have helped Aaron?
Its too late for that. Look to the future instead. Will having Arron's Law in place, coupled with civil outcry and petitions we've seen , prevent the next Aaron from being over-zealously prosecuted?
I think the answer is: not entirely, but its a huge, practical step in that direction. This is one of those things that you celebrate, not dismiss cynically.
Think of an alternate reaction. Why not create a petition on the whitehouse to make this small step a reality instead of cynically dismissing it? Remember, your pessimism can influence a whole audience into inaction. Recent precedent suggests.
I'm not being cynical. The fact that Aaron's Law wouldn't have helped Aaron isn't a cynical point. I don't oppose the act at all. TOS violations shouldn't be felonies.
This is one of those ridiculous message board arguments where both parties agree, and the argument is actually not about the issues about about the metaissue of how people are posturing. Do you believe federal criminal sentencing is sensible or just? Here, I'll just speak for you: no you don't. We disagree on nothing. Let's move on.
The problem I'm bringing up is that Kerr and Granick have both pointed out that TOS violations weren't the only problem, or even the most severe problem, facing Swartz's defense. His attempts to evade filtering had the added misfortune of setting him up to "appear guilty" at trial.
Guests from any IP, except Aaron's IP. Until he got a new one. And then another.
Hypothetical Question: someone is accessing your network in an unauthorized way. How do you tell them? An IP is not a person, so how do you make your desire that they stop known? Block their IP? What if they come back with a new one?
Do you really think that any legal change would reduce the need for security auditing of apps? I'm afraid that seems awfully unlikely to me. Even if US-based attackers would be deterred, there are plenty of places in the world the Internet reaches but US jurisdiction doesn't.
I think the effort put into securing computers is an inevitable dead-weight loss. Laws against pollution don't make everyone stop polluting; some polluters will just find creative ways to conceal what they're doing. Definitely doesn't mean I think pollution should be legal.
Computer security, at least while attached to the Internet, doesn't work that way. When all it takes is one attacker anywhere in the world to write a worm that compromises everyone, everyone needs to secure their systems.
Some problems really are best solved using technical means. If we stop building systems that can be exploited by arbitrary outsiders (yes, this is possible, and probably not that expensive in the long run if we standardize a few good protocols), then we can should be able to reach a point where a certain baseline of security can just be taken for granted.
The idea that abusing people's computers to disable their businesses or gain access to confidential information should be legal because "that problem is best solved using technical means" is so hostile to my perspective that there's probably little chance of us learning anything from each other by debating it.
You spoke for me well enough. If you reduce the number of computer criminals by 90%, it won't perceptibly change the amount of work that anyone has to put into writing secure programs, because the 10% of remaining criminals will still exploit everyone's vulnerabilities. If those laws impose friction on the rest of us (e.g. laws mandating wiretapping and/or filtering capability), then we all suffer huge aggregate costs for basically no gain.
>Lofgren's proposal appears to address the EFFs main concerns
Does it? I don't see anything reducing the excessive penalties, just somewhat narrowing what qualifies for them.
Let me be clear, I think this bill is a good bill -- I don't see anything wrong with it except that it is incomplete. It solves only a small subset of the problems we need to solve here. Narrowing the definition of unauthorized access can only be a good thing, but I could reasonably argue that it is still too broad given the current penalties, and remains incredibly vague notwithstanding that this would explicitly exclude certain things. So either the penalties still need to come down significantly, or what qualifies needs to be further narrowed, or both. But it's a good first draft. A step in the right direction.
The problem with prosecutorial discretion is that it allows prosecutors to drift down from the baseline sentencing (see: DACA re: DREAM Act) but also choose not to. In this case, the AUSA clearly decided that maximizing the sentence was the best way to get a plea bargain to increase his metrics of successful prosecutions.
The law is never going to be perfect, and our outcries do more to serve as a perpetual reminder (see: SOPA) against legal overreach than any law will be.
>Legislating against what you term "prosecutorial misconduct" is far fetched. Can you imagine how you would word that legislation without hampering law enforcement efforts against the real bad guys? Do you really want that?
Maybe it's less about "legislating against" the specific conduct, and more about oversight on incumbent prosecutors and ease of removal when someone proves themselves unworthy of the considerable power with which they've been trusted.
My personal belief (which is significantly different from the law on the matter as I understand it) is that "unauthorized access" for computer crimes should require intentional, material deception. That means that they deceived someone (or their computer), that they did so intentionally, and that but-for that deception, access would not have been given.
I do believe that one could argue over whether changing one's MAC address (or IP) constituted that sort of deception. So in all honesty, it's possible that he would still be convicted by a standard like that, though I would like to think that he would not. Intention would seem to be hard to prove, though reasonable minds might differ.
Separately, I think that computer crimes have disproportionate penalties right now. I really don't see any reason why using a computer to steal money (or commit whatever other crime) should merit a greater sentence than stealing the same amount by other means. I am aware that it has been like this for some time, but hackers have had longstanding gripes with this state of affairs, dating back to Morris & Mitnick.
My Lessig is not always technically correct moment came while reading the future of ideas. He compares radio spectrum to an Ethernet hub, everybody plugs in and it just works. Problem is, there's a reason everybody moved from using hubs to switches, which are a lot more like centrally controlled cell towers. Its not a bad thing, but he is not a bits and bytes person.
I've never fully grokked the physical limits behind these newfangled unlimited spread spectrum ideas. Clearly there has to be some, and not knowing specifically what they are makes me highly skeptical.
SEC. 2. ELIMINATION OF CERTAIN VIOLATIONS OF AGREEMENTS OR CONTRACTUAL OBLIGATIONS, RELATING TO INTERNET SERVICE, FROM THE PURVIEW OF CERTAIN CRIMINAL PROHIBITIONS.
(a) FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS. - Section 1030(e)(6) of title 18, United States Code, is amended by striking ‘‘alter;’’ and inserting the following: ‘‘alter, but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;’’.
(b) FRAUD BY WIRE, RADIO, OR TELEVISION. - Section 1343 of title 18, United States Code, is amended by inserting after the first sentence the following: ‘‘A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.’’.
It essentially means that violating a TOS will not longer be considered "wire fraud".
The charges against Aaron do appear legit, and I don't see how changing the definition of wire fraud to exclude TOS violations would have affected Aaron's case. Set aside the issue of whether you think the prosecution pursued Aaron's case too aggressively (I think they did) or whether you think the permissible sentences for these crimes are fair (I think they are not).
Interesting sidenote: Kerr himself defended Lori Drew in the so-called "MySpace suicide" case (2008), in which Drew was convicted of computer crimes and wire fraud for violating MySpace's TOS by "cyber bullying" 13-year old Megan Meier, resulting in Megan's suicide (the conviction was overturned on appeal). http://email@example.com/msg1...
There is no federal law against cyber-bullying, so the prosecution in that case used these same computer and wire fraud laws to go after Drew for her role in Megan's suicide.
Perhaps less that it has amped up penalties and more that it has a careless and capricious standard for mapping alleged damages into sentencing categories. It's not necessarily that the CFAA on it's face is unreasonably harsh; it's that it's attached to a stupid scheme from which harshness is an emergent property.
My understanding of this (and it's admittedly pretty limited) says yes. One of the articles I read (sorry, no link) explained that JSTOR and MIT had an agreement that basically provided free unencumbered JSTOR access to anyone on MIT's network. There was no process in place to detect and deny large-scale downloaders of documents. And this was pretty much by design. JSTOR was basically a wide-open field full of documents, with nothing more than a placard saying "don't abuse this field". No fences, no gates, nothing.
As I understand it, this was the only 'ongoing' access control. However MIT individually blocked his MAC address, so he then changed it to get back on the network. But I'm not sure where the need to plug his laptop into a cupboard came in, so I must be missing something.
YES. Vote up this comment, for he speaks the truth.
Edit: Note to PG and HN mods. With power comes responsibility. You have in the past allowed cynical posts from reaching the top and influencing opinion and thats led to tragic consequences. See the infamous Aaron post from Ed. Its happening again. I encourage you to vote down negative nonsense, even it consists of well constructed sentences and comes from people with high karma scores. Or whatever the kids call it these days.
Federal prosecutors' primary tactics mirror those of the medieval siege. They do their best to fling arrows at the castle by generating enormous amounts of discovery material They starve defendants with insanely over-broad civil asset forfeiture laws. They charge crimes on the prosecutor's whims: HSBC bankers get away with laundering hundreds of billions for Iran, but go after Aaron Swartz with utter malice. Of course, these whims are driven (as always) by personal ambition, outright greed, and a strategy towards personal profit. They strip the defendant of all his most essential Constitutional rights, and then bully him into accepting the arbitrary conditions imposed by one in a position of power, desecrating the right to a trial by peers--a right we gained in the 13th century.
We must pass laws mandating adequate funding for the judiciary, and mandating that after the prosecution's total expenditures surpass $50,000, the prosecution must contribute the amount it spends on its own expenses, minus the first $50,000, to a legal defense fund for the defendant.
This will ensure the government will not resort to dirty tactics like inundation with discovery materials, since they will just have to pay for the defendant's lawyers to read them all. They will not be able to subjugate defendants with their might, because defendants will have the means available to them to stand up to it.
This would basically mean you could never get a large company or criminal organization for anything. If you're trying to uncover e.g. systematic FCPA violations, you can't help but make the case complex.
Fine, and so the case is complex and expensive. If the accused truly are guilty, then they will be afforded due process of law and then convicted. The case may cost twice as much for the government to prosecute, but the large company will forfeit any profits derived from that criminal activity.
Besides, the DoJ consumes an absurdly low proportion of the Federal budget . Even if this law doubled the DoJ's budget (impossible; they still have to pay for facilities, support staff, etc.), it is a worthy price to pay for a safeguard of the liberties we've enjoyed for nearly a millennia.
That sounds like a problem with the sentences and not with the plea.
--> Current world: Defendants have a choice between accepting a certain jail term of Y or risking trial where they'll get in a range from 0-X (where X >> Y).
--> Your world: Defendants must risk trial where they'll get in a range from 0-X.
How is the second one better? If you want to reduce X, then just reduce X. The same argument goes if you say that Y must be some fraction of X --- if I were a defendant, I'd want at least an option of a very small Y (and if X is too high, just reduce X).
In addition to all the efficiency arguments (jurors, court costs, etc), guilty pleas save victims and witnesses from having to show up in court, be aggressively cross-examined by defense counsel, and suffer again. Why is it beneficial for somebody who knows he's guilty and knows he'll be convicted to have to inflict pain on his victims again?
By the time that you have gotten to the point where you are considering a plea bargain vs. a trial you have already lost. Even if you are innocent of the crime, the plea bargain can look really tempting.
In cases like this, offering a low-ball plea bargain (e.g. '6 month sentence or go to trial and risk 35 years') can mean that the prosecutor's office would rather not go to trial (because they have a weak case). Seems to me that if the case is weak, then prosecutor shouldn't be pursuing it.
[Though, maybe if it's a case of significant loss to the victim (e.g. murder), then pursuing the case even when it's weak may make sense.]
To be fair it's doubtful that most of that would have actually held up in court. That woman who bullied that 13-year-old to committing suicide a couple of years ago was similarly charged under a very broad interpretation of wire fraud and was only ultimately convicted of a misdemeanor.
Though he gets bankrupted from legal costs either way for sure
Which needs to bring along with it some combination of an increase in the amount of resources the courts have to handle trials, decrease in the number of victimless "crimes", and better ways to reduce recidivism.
Otherwise, the system would collapse under the weight of all of the trials and prisoners.
Getting rid of plea bargaining doesn't make the problem better; it makes it worse by removing any compromise between walking away and the maximum sentence.
From my own experience: in mental committment proceedings, there is no halfway point between letting the defendant stay free and committing them to a mental hospital. Consequently, the prosecutor's office simply never negotiates; they take every case to trial.
Here's the thing: Getting rid of pea bargaining will mean every case must go to court. Since the courts are unable to deal with that many cases the prosecutors will be MUCH more selective when deciding which cases to take on. Fewer people will get charged and fewer people will go to jail.
That's not necessarily better. The purpose of plea bargaining is to work the huge mass of petty criminals through the system. The legal presumption of innocence notwithstanding, these people all did the crime, and it's generally a legit crime. Getting rid of plea bargaining means that prosecutors will focus on the big fish, but also means that lower level crimes (shoplifting, pick pocketing, etc) essentially become unenforceable.
You go to jail once you're charged, not when you are convicted. My hometown is currently running into budgetary problems and has scaled back the court system to funnel more funds to the jail housing everyone awaiting trial.
So, "any device which communicates with any device" then? We might need to add a clarification that communicating with itself is included, and that communication could be uni-, bi-, or multi-directional...
Before you do, make sure you spend some time reading the analysis here and on reddit, and come to a solid conclusion whether this proposed change actually would have helped Aaron, or whether it's a feel good attempt to use his name for political gain.
I think it's possible for the bill to be a good idea even if it would not have helped Aaron, and also possible for it to be suitable memorial even if it would not have helped in his particular case. The fact that it could help prevent some other similar cases would be good enough for me, for instance.
If you have any analyses you think are particularly valuable, feel free to recommend; I'm reading dozens of things per day about this story as it is, at the moment, as so many of us are.
I'm envisioning a course of events where this bill gains support and gets passed (fixing one problem, yes), but nothing is done to address the real causes of what happened. It's then reported on in the media as if this longstanding severe criminalization of acts-with-technology has been fixed, when the reality is that people like Aaron are extremely rare and we're unlikely to see a similar case in the next decade (/me knocks on wood).
Sorry to jump at you a bit. Most of the comments on reddit seem to be unthinking sycophantic praise, and don't really consider if this is the appropriate response.
I just wonder why she didn't act earlier, like, before Aaron killed himself. Maybe it's too much to ask, but she was well aware of his case, so i find it sad that actual action requires death as motivation.
Am I the only one who thinks that the current situation requires removing text from the federal register rather than adding it? In both cases, the changes here are insertions, with no deletions. There's plenty of offending code to delete, why let it rot more?
I agree with you, but I don't know how much credit she'd receive for merely trying to eliminate law.
We wouldn't need this massive, inconsistent, vague, and convoluted law system if we just followed a few fundamental moral principles. An analogy would be the overly-complex equations to support the Earth being at the center of the solar system. When the sun was rightfully placed there, the equations became more elegant.
A programming analogy would be to refactor similar laws into a more general form, follow KISS, use open-source software (free market) instead of reinventing the wheel (the type of wheel you'd find in Death Race 2000, btw), etc. But just like the programmer who gets job security from tangled, inscrutable code, Statists and lawyers do so from law.
Lets just sit back and revel in the irony of programmers discussing broad fixes to federal laws, based on insights from reddit comments.
To all the armchair legal experts of HN, here's a challenge: draft legislation that fixes what you propose and post it here.If you can't do that, you are not qualified to comment on the matter.
The EFF has addressed the technology aspects of this. You have ascended into general purpose prosecutorial reform. The legal profession has a vast number of incredibly intelligent people and the legal process has vast nuances, and to think you are an expert in the subject is downright arrogant.
You solve this problem by momentum and visibility, not tossing out arbitrary criticisms.
In the meanwhile, vote up the comment that urges readers to help get this passed.
It's quite disturbing that people expert in technology (such as HN visitors are) should not comment on the matter because they have no 'law' qualification.
Is this 'law' thinghy you are talking about something that only applies to people with 'law' qualifications?
Oh no you say? it applies to everyone ? OMG!
Here's my draft legislation: get rid of the laws used to incriminate Aaron as they are crazy, overreaching and unjust.
No need to polish a turd and I'm sure real crimes are already covered by non computer laws.
> ...most legislation in the House is worked on by attorneys in the Office. The signed paper version submitted to the Clerk of the House on the House Floor is the official document of record.
> HOLC, the main drafters of House legislation, consists of approximately 35 attorneys and a support staff of about 15 individuals, and is headed by the Legislative Counsel of the House who is appointed by the Speaker of the House...
> Because the paper version is the document of record, the drafters provide their clients with typeset drafts or PDF files that can be printed in the client’s office. The paper version of legislation is currently created in one of two ways...
The gory details come just after that, but the site itself seems out of date. More interesting is the peek at the physical process of drafting legislation.
Even though it might not have made Aaron's specific case go away, this bill does solve a serious problem with EULA breaches being used for overzealous prosecution.
Say that my ToS / EULA says "By using my product, you agree to hop on one foot while doing so." If some terrible person uses my product without hopping on one foot, then the worst thing that can happen to them in the legal system should be civil actions, namely, I can sue them for breach of contract.
If they can be criminally prosecuted for "hacking" my software/website, that seems to go against the entire concept of having a divide between civil and criminal cases. Only the government should have the power to declare that the specific behavior of failing to hop on one foot is criminal.
Letting any private party set arbitrary rules for any other private party that are enforced by criminal penalties is just nuts.
maybe i am missing the point. But by applying the logic of this bill to other laws. Then trespassing on private property, being asked to leave several times, but not doing so, should not be a crime either.
That's not a crime that will typically get you threatened with 50 years in federal prison, no.
We can't expect our 3000 year old "tresspass" and "stealing" concepts to work well as metaphors for information systems built specifically to copy information at the rate of thousands or millions of times a second.