>In the law as it exists, doing something "anonymously" for the purpose of committing a crime is itself a crime. It's not the act of changing the MAC address that is illegal by itself.
What, then, was the underlying crime, if not this unauthorized access nonsense where access was allegedly unauthorized only because he was supposedly hiding his identity? Keep in mind that it wasn't copyright infringement (which normally isn't criminal anyway), because it wasn't JSTOR pressing charges, it was MIT.
>Your point, I think, is that that "extra" crime is a silly law. Which I think many of us agree with. But it's still the law, and it's not unreasonable for a prosecutor to enforce it.
But there are two issues here: There is what prosecutors did, and what the law allowed them to do. Even if you don't have a problem with the prosecutors, we can still have a problem with the law and work to have it changed.
>In fact, they have a duty to do so.
No they don't. They have prosecutorial discretion. If the application of the law in a particular case is ridiculous, they have no legal or professional obligation to press those charges.
> No they don't. They have prosecutorial discretion. If the application of the law in a particular case is ridiculous, they have no legal or professional obligation to press those charges.
You either break the law, or you don't. The law should be the same for everybody and should NOT be applied selectively. It's actually outrageous that you imply otherwise.
Because this happens it's precisely the reason for why we have ridiculous laws in the first place. If this goes on pretty soon everybody will be a criminal, but the world will still turn for you, until you manage to upset somebody you shouldn't have.
And since we are on the subject, that's how the law works in totalitarian states.
Exactly, and the reason for this is that we can't cover all possibilities with enough granularity for black and white to be close to reasonable.
If it was illegal to break a lock (black and white), then the guy who breaks a lock to steal your TV gets the same sentence as the guy who breaks his own lock because he forgot his keys, and the same as the guy who breaks a lock to get into a burning building to save a child, etc. Obviously this is ridiculous, but even so, how could we possibly cover all of the motivations for breaking a lock?
How could we cover all of the motivations for hiding your identity? How could it ever be black and white if we can't?
If we could, then the entire justice system could then be automated.
>Obviously this is ridiculous, but even so, how could we possibly cover all of the motivations for breaking a lock?
But here's the thing: That's why it isn't illegal to "break a lock." It's illegal to e.g. steal things. Because that's what we want to prohibit, not breaking locks, even if breaking locks is a thing mostly done by criminals who are trying to steal things.
Neither are you guilty of "breaking and entering" if you break your own lock. And you might also notice that the penalty for breaking and entering is a lot lower than it is for e.g. grand larceny (or, for that matter, murder).
You're missing the point (intentionally or not, I can't say). So to take a bad analogy even further...
I'm a lock troll. I like to go around breaking people's locks. I never steal anything, I just break locks because I'm a prick like that.
This guy I know, Franky, broke a lock the other day in order to save a child from a burning building.
How would you propose a black and white system handle this? Do I get to run around breaking locks with impunity, or are we going to punish Franky for the method of his good deed. I mean, the good deed's nice and all, but irrelevant to the matter at hand right?
1) You don't have a law against breaking locks. You have a law against willful destruction of other peoples' property, and locks are property.
2) You have an exception to such laws for exigent circumstances or implied consent.
Here is the flaw in your argument: We don't have to nail everything down to nail part of something down. We don't have to define "exigent circumstances" mathematically or put the badge number of authorized fire marshals in the statute. That doesn't mean we can't do better than obscenely broad and vague nonsense like "unauthorized access to a computer."
There is a reason we have laws more specific than "anyone who does anything bad shall be punished by a fine of up to one hundred trillion dollars or up to one thousand years in prison."
My point was never that we should be as vague as possible. My point was that you could never be specific enough to not require context. The mere possibility of exigent circumstances guarantees it.
I don't think we're actually in disagreement. Maybe my analogy was just that badly thrown together?
What happened is that you managed to hit on one of my pet peeves, which is laws that prohibit innocuous things just because sometimes bad people do them. Like the DMCA prohibition on circumventing technical measures that control access to a copyrighted work. I really hate laws like that because they criminalize legitimate conduct (like circumventing for the purposes of fair use criticism) and have no benefit whatsoever over just applying the same penalties to the real bad act (e.g. copyright infringement that isn't fair use), all they do is expand the scope of criminality beyond the actually undesirable act so that it ensnares otherwise upstanding and innocent people. This is especially bad when the penalties are calibrated for the worst possible intent in doing the thing, e.g. mass scale for-profit infringement, and then applied with that severity to everyone in violation of proportionality.
The CFAA is the same way. It prohibits unauthorized access, which seems like it would generally be bad (though it's vague enough that who knows) and with no provision for looking into the circumstances to evaluate how bad, then goes on to impose penalties as though the unauthorized access was in furtherance of something like terrorism or bank fraud rather than accessing a wifi to check your email, even though the latter is still covered and subject to the same extreme penalties.
And none of this is about black and white, which is why I objected to the example. Wanting black and white laws is about fighting vagueness: Too much specificity is bad because it's too complicated and no one can understand it (see: tax code), but too much vagueness is also bad -- even worse -- because then you have no possible way to know what it actually means until you get told by a judge, by which point it's far too late.
The problem with your example is that it isn't an example of too much vagueness, it's an example of too much breadth. Take two examples: "Don't do things" and "don't do bad things without a good reason." The first isn't really vague at all -- it just covers everything, which is useless and stupid. So the problem is that it's too broad. The second isn't too broad -- it's pretty good at only criminalizing things that ought to be -- but it's hopelessly vague.
And it's overbreadth which is the trouble with "it is illegal to break locks." It covers breaking locks even for good reasons. So you need a list of exclusions or you end up like the DMCA: You're allowed to break them if they're your locks, or if necessary in order to do something legitimate, etc. Which is actually a counterexample of being okay with relatively simple laws and not needing a list of caveats to go along with them. Because we can't make things that simple, or we get the DMCA and the CFAA, which are both terrible and need to be seriously overhauled.
There is a reason we have laws more specific than "anyone who does anything bad shall be punished by a fine of up to one hundred trillion dollars or up to one thousand years in prison."
"The law should be the same for everybody and should NOT be applied selectively."
It depends on how the selection is done. If a prosecutor declines to prosecute because the law breaker is of a particular race, rich, politically powerful, etc. then that is an abuse of discretion.
However, we want prosecutors to be selective when it comes to saying that someone might have been justified even if the law as written doesn't explicitly acknowledge the justification (or acknowledges it but as a factor for the judge to consider). Speeding and running red lights because you are impatient and reckless is a different matter than speeding and running a red light because your passenger is bleeding profusely.
We also need to give prosecutors some discretion just to manage the case load. Unless we are willing to spend a lot more on both prosecutors and the court systems, we want them to be able to say "I will focus my time and attention on this murderer even if it means letting that shoplifter go with an extremely favorable plea bargain or even unpunished."
>You either break the law, or you don't. The law should be the same for everybody and should NOT be applied selectively. It's actually outrageous that you imply otherwise.
I'm not implying anything. That is actually how it works now. If you don't like it, change it. But good luck, because first you're going to have to fix all of the laws before you try to force prosecutors to prosecute all of them or we'll all be going to trial at the same time and the entire world will grind to a halt.
>If this goes on pretty soon everybody will be a criminal
Actually, we're well past that point. Until the past few years, only tiny special interest groups ever heard about things like this. Now, it has the potential to blow up into national news. Maybe this is progress.
I definitely don't think he was implying that the law be selectively applied to different people. However, law is not black and white. Law interpretation is up to a judge (in countries with a Common Law system) and is based on precedent. AnthonyMouse was simply saying that if the application of a certain law in a certain situation is ill-fitting, the judge/attorneys have no reason to pursue those charges.
the charges were wire fraud, computer fraud, unauthorized access, and computer damage.
> because it wasn't JSTOR pressing charges, it was MIT
when the charges are federal crimes, prosecutors decide whether or not to press charges. not wanting to press charges does not magically make criminal acts not criminal. if a guy beats the crap out of his girlfriend, and his girlfriend does not want to press charges, the prosecutor can still press charges.
No, it was rhetorical. The point is the charge that MAC spoofing was relevant to was unauthorized access, but if MAC spoofing is sufficient to prove "unauthorized" then MAC spoofing would virtually always be unauthorized access to whatever you're accessing with a spoofed MAC. That interpretation would make MAC spoofing illegal without any underlying crime.
>when the charges are federal crimes, prosecutors decide whether or not to press charges. not wanting to press charges does not magically make criminal acts not criminal.
I'm not sure that's always true. If one of the elements of the crime is that what the defendant did was unauthorized (as was the case here) then if every victim authorized the behavior that element of the crime wouldn't be satisfied, no?
> if MAC spoofing is sufficient to prove "unauthorized"...
i agree. but its not. MAC is one piece of evidence. without the other evidence, the charges would probably be worthless.
> If one of the elements of the crime is that what the defendant did was unauthorized (as was the case here) then if every victim authorized the behavior that element of the crime wouldn't be satisfied, no?
In theory, I suppose. However, JSTOR not pushing for charges is not the same as JSTOR "authorizing" Aaron to access those files.
>MAC is one piece of evidence. without the other evidence, the charges would probably be worthless.
The trouble is that the other evidence can be just as spurious and circumstantial. It's the selection bias problem: You do a hundred thousand things in the process of downloading a journal article and fifteen of them are "suspicious" but those are the fifteen they present to a jury when trying to convict you.
The charge was that they blocked his MAC address, so he changed it with intent to continue accessing a system.
Even if he had changed his MAC address by buying a new laptop / NIC and connecting it, they probably would have still tried to charge him with the same thing.
The wording of what is alleged from the indictment is: "He sought to defraud MIT and JSTOR of rights and property by: ... b. Repeatedly taking steps to change his and his computer's apparent identities and conceal his and his computers' true identities".
For that same argument to be applied to someone else, there would have to be several aspects:
* The change of MAC would have to be repeated (although obviously they could construct a similar argument if you just did it once to clone a white-listed MAC).
* The 'intent' behind changing the MAC address would have to be to obtain something that could not be obtained otherwise. This could be by spoofing a white-listed MAC address, or changing away from your black-listed MAC address that was blacklisted to stop you doing something the network owner doesn't want you to do with their network.
I don't think they are saying the technical means by which the MAC is changed matters, or that changing MAC addresses without the intention to circumvent a technical measure to restrict access are wire fraud.
What, then, was the underlying crime, if not this unauthorized access nonsense where access was allegedly unauthorized only because he was supposedly hiding his identity? Keep in mind that it wasn't copyright infringement (which normally isn't criminal anyway), because it wasn't JSTOR pressing charges, it was MIT.
>Your point, I think, is that that "extra" crime is a silly law. Which I think many of us agree with. But it's still the law, and it's not unreasonable for a prosecutor to enforce it.
But there are two issues here: There is what prosecutors did, and what the law allowed them to do. Even if you don't have a problem with the prosecutors, we can still have a problem with the law and work to have it changed.
>In fact, they have a duty to do so.
No they don't. They have prosecutorial discretion. If the application of the law in a particular case is ridiculous, they have no legal or professional obligation to press those charges.