>Technical people do stuff like MAC spoofing all the time, as in the article. //
Yes to gain access to material they are not authorised to access, for example.
>I set curl and wget to spoof a more common user agent, because some things simply don't work otherwise. //
But you know that spoofing a useragent, eg Googlebots, to crawl a domain is unauthorised access. You do.
From what I've read recently Aaron Swartz was quite brilliant. He also appears to have acted morally in attempting to free JSTOR data (IMO a noble cause), but I very much doubt he was so naive as to believe he was acting legally in doing so. It seems to me to require suspension of rational thought to come to this conclusion.
MAC spoofing does really help prove mens rea. Authorisation was restricted to content based on MAC; a person spoofed MACs to gain access, that person knew that spoofing MAC was something that would gain access that wasn't authorised.
An analogy: If someone is offering free samples in the street, you may well be able to get lots of free samples by wearing different disguises, you may even be giving the samples to the needy, but claiming you didn't appropriate those samples by deception (ie fraud) is just lying.
Thanks for the illustration: what is considered common behavior in one community is not necessarily considered common behavior in another and today people are disagreeing on, among other things, even the definition of fraud (which I agree, "should" be simple) in computer networks.
I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose. MAC spoofing might help demonstrate mens rea to you, but that is far from universal. I don't care if Google crawls my domains, regardless of the presented user agent, so why should I presume anyone else would? (Google didn't start by presenting themselves as Googlebot... They committed your definition of fraud.) Why do your presumptions win over my presumptions? We need better reasons than a legislator's "because I said so." If we are to live together, we have to come to a consensus, but at the moment there is a long distance between some pretty inflexible points of view ("just lying").
>(Google didn't start by presenting themselves as Googlebot... They committed your definition of fraud.) //
Can you expand on this. It appears you're saying that Google spoofed the origin of their traffic in order to crawl sites? Can you back that assertion up?
If you allow Googlebot access using UA then someone identifying as Google in order to gain access they wouldn't otherwise have is clearly unauthorised. We all know this. It's not something [on it's own] that warrants prison time of course.
Fraud is gain by deception; simple. If you have to change your apparent identity to avoid being prevented in your acquisition then it's fraud.
>MAC spoofing might help demonstrate mens rea to you, but that is far from universal. //
Come on lets be adult about this. Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity. Masking identity is of course not normally and generally a crime in itself.
So then that repeated use of a service restricted by MAC address, after the intermediate application of MAC alteration doesn't show direct mental application (mens rea) to the task of attaining further access than that which has been authorised ... look I'm not saying he was morally wrong. But aaronsw certainly knew he was acquiring unauthorised access; if it were authorised he wouldn't have needed to hide equipment, spoof MACs, alter IPs to avoid IP blocking and such. He knew and I warrant you do too.
It's a shame in many ways he didn't pull it off.
>I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose. //
> saying that Google spoofed the origin of their traffic
The discussion was about user agents, not origins.
>Fraud is gain by deception; simple.
The hell it is. Let me give you an actual definition of fraud:
* a representation of an existing fact;
* its materiality;
* its falsity;
* the speaker's knowledge of its falsity;
* the speaker's intent that it shall be acted upon by the plaintiff;
* the plaintiff's ignorance of its falsity;
* the plaintiff's reliance on the truth of the representation;
* the plaintiff's right to rely upon it; and
* consequent damages suffered by the plaintiff.
Note in particular that if you don't harm someone there is no fraud.
> Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity.
There are many reasons one might want to avoid being identified with previous use under a particular MAC address (or other identifiable information). For example, if you're paranoid about all the big brother tracking going on in the world (just because you're paranoid doesn't mean they're not out to get you), you might consider many such techniques to break up your trail from the perspective of said trackers.
>There are many reasons one might want to avoid being identified with previous use //
OK, so you get blocked, change MAC/IP and that gets you access again. Would you claim to not know that you were now circumventing an access block? How about if you were downloading the 300th (or more likely 30,000th) document from a repo when it was clearly said users were limited to 3?
http://infolab.stanford.edu/~backrub/google.html$$4.3: Crawling the web:It turns out that running a crawler which connects to more than half a million servers, and generates tens of millions of log entries generates a fair amount of email and phone calls. Because of the vast number of people coming on line, there are always those who do not know what a crawler is, because this is the first one they have seen. Almost daily, we receive an email something like, "Wow, you looked at a lot of pages from my web site. How did you like it?" There are also some people who do not know about the robots exclusion protocol, and think their page should be protected from indexing by a statement like, "This page is copyrighted and should not be indexed", which needless to say is difficult for web crawlers to understand.
That about sums it up: the laws largely reflect the foot-stamping of non-technical people who wanted copies to be more like apples on a tree and less like reflections in a pool. To be sure, it is possible to commit real crimes using the Internet: securities fraud (real fraud), invasion of privacy, uttering threats, etc, but copying itself should not be criminal.
>"I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose."
"Where is the appropriation by deception in this?"
The deception is of copying as appropriation, which I consider impossible. The appropriation on your part (the royal "you") is 1) the loss of my freedom to surf/access the net using the tools and methods of my choosing (with any user agent string or MAC I want, or by scanning an IP block, or by sending a multicast packet), and 2) your gain of copies as a store of value.
"Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity."
No, I am saying a MAC was not an identity to begin with. Sites use technical means to limit some access, while usually leaving others open (there has to be some way for users to get at the bits). Why should anyone assume those means left open shouldn't simply be used instead? (The discriminator could have discriminated further, to an arbitrary degree, since the rules only exist in software.)
Again, it boils down to your definition of "unauthorized" which is defined firmly in one camp (not that copy, it's mine!) and equally firmly but very differently in another camp (copying is easy; copying will always be easy). The people who regularly apply access controls and maintain the networks largely assume other people could too, if they wanted to, so what feels like "security" for one person (a MAC address) isn't considered "security" for others. (I'm not speculating about Aaron's views, I'm talking about mine. I agree, I don't think he did anything wrong.) The general feeling is one of all-or-nothing access amongst those who define the locks; part of the hacker/inquisitive mindset is not wanting there to be any locks they can't bypass.
That lock analogy is problematic. Using an elaborate means to copy is not the same as breaking into a building by climbing through a window. Copying (looking) doesn't cause bodily harm or deprivation, and so is not fraud. Lots of people want to claim it can cause financial harm, but I don't buy that one either. Non-commercial copyright infringement is basically free advertising: the sort of word-of-mouth you pay through the nose for. Paying up-front for a copy is absurd; you pay after you hear the minstrel, and you only pay if you liked the music. You can stop playing music for me, but you can't, with accuracy, call me a thief for listening or not paying.
Keep in mind I'm describing what I think should be, not what I think the laws are. You are free to disagree, but this is the context for my comments.
The Internet was, and is, and remains a copying (looking) free-for-all, where code is law. That doesn't make it a wild west that needs to be civilized either - there's nothing to civilize in the absence of copyright. It doesn't mean we have to pull in property and theft analogies... This is still exclusively about copying. As little as 10 years ago we all thought copying would bring some kind of digital salvation: access to all human knowledge. (Enter Wikipedia...) Turns out we want to monetize copying instead, so we are reducing individual freedoms and access rights. Yes, reducing. Give me a break. (For the sake of keeping up with your exasperations.) I already pay my ISP for the link. The copying is implied.
Copying is only scary because you don't know the person doing it - but they aren't doing it to you; copying isn't an injury.
I run an SSH server, and I prevent access to it as well. I also run a wireless access point with a pretty simple password. I don't care if someone uses the wireless if they find the password. Good on them. If they use it to commit a crime I do, but using it is not the crime. Similarly, if they find the password to the SSH server, also good for them; if they find the password to the SSH server and commit an actual crime, then there will be charges (though not from me unless I was the victim), but looking onto a property (a physical computer) is not a crime. You have to forget about that if you want to monetize information, but that's why there's a lack of common ground between the two camps: there's no property to speak of.
Admittedly, there are a number of laws based on the idea that copying should be illegal (copyright as an obvious example). I'm not ignorant of them, but I challenge them. (Granted, I probably wouldn't be willing to put myself in Aaron's situation to challenge them.) I think they can only be enforced at the cost of physical ownership rights and I'm a "law-as-code" kind of guy. I want to be able to believe that if someone didn't want me to copy something, I wouldn't be able to copy it, or I at least want us to admit that making a copy can't actually hurt someone (the copy itself, not what you might proceed to do with it).
Thanks for your response, I'll keep this brief but I want to correct a few apparent misconcetions.
>I am saying a MAC was not an identity to begin with //
That's not important. The person accessing the system realised that it was being used to enforce a per person limitation. They spoofed MAC in order to misidentify their access. That misidentification was it appears to acquire documents in an attempt to publish them against the will of the license holders.
I'm pro-copyright and patent as I genuinely believe that they are required to ensure proper compensation of authors/inventors. I use CC-BY primarily, which is facilitated by copyright.
However, what I'm absolutely against is copyright or patent terms that don't stimulate innovation or artistic creation. Terms should be no more than about 9 years for either.
>Turns out we want to monetize copying instead, so we are reducing individual freedoms and access rights. //
We need fair exchange. Producing copyright works costs just like producing food or goods. Unless you give food, drink, shelter, etc., free to artisans then you can't demand their work to be free. Quid pro quo.
I am absolutely sympathetic to the idea of releasing JSTOR data, indeed any and all scientific data, and applaud the apparent sentiment. But I'm not about to overlook the pretty obvious truth in order to promote that position - releasing JSTOR's data to the public would be a highly damaging commercial act. Morally justifiable IMO but certainly against the law. So, was aaronsw guilty, it appears certain from what I've read of the case that he was.
>but looking onto a property (a physical computer) is not a crime //
Fixing an image from a private property is in many jurisdictions (not sure on USA, most likely it's situationally variable).
You're creating a false equivalence in any case, having your IP address is looking at your property from afar, logging in to your SSH and taking your files is picking the lock (or swinging the gate open) and walking in and taking something.
Which brings us back to authorised. Unauthorised is "not authorised", that may seem pedantic truism but it moves towards the next point. Just because my door is wide open doesn't mean you have the right to access my house, you are authorised by active assent not by failure to prevent access. Running sshd with a weak password doesn't mean I'm authorised to access your computer, I'm clearly not authorised, I could perhaps run an exploit on it or brute-force it but that doesn't make me authorised to access it.
If you truly hold the position you're espousing then presumably if someone takes money from you you'd consider it "authorised" because you failed to prevent them?
"We need fair exchange. Producing copyright works costs just like producing food or goods. Unless you give food, drink, shelter, etc., free to artisans then you can't demand their work to be free. Quid pro quo."
I agree. That's why I leave a tip for good service, after I have eaten. The difference between selling groceries and waiting on tables is that in the former there is a tangible item with an intrinsic value to which the law of exclusion strictly applies. The latter has an intangible and subjective value behind it, and the law of exclusion is as flexible as a wet noodle. The thing about the Internet is that it's all subjective and intangible, making the gratuity model vastly more appropriate. That doesn't make intangible work valueless, it just changes the business model. We have never seen such an expansive gratuity-based business opportunity as the Internet before. I can also understand how that might be a bitter thing to admit if one prefers, or depends on, the law of exclusion. (Of course, it is also possible to "inflict" the law of exclusion on netizens with laws such as copyright, the CFAA, etc, but that it's not the clear moral high road.)
"having your IP address is looking at your property from afar, logging in to your SSH and taking your files is picking the lock (or swinging the gate open) and walking in and taking something."
No, they are both just network traffic. Their effects and potential for damages are not, which we even seem to agree on. I'm saying that the conversation should be explicitly about damages though, and not indirectly about regulating access/copying.
"you are authorised by active assent not by failure to prevent access."
In the world of tangible goods with intrinsic values yes, on the Internet, not as obviously, if at all. If you already buy into the copying = theft equivalence/analogy, you might be more inclined to believe that. However, IMHO, there is no such thing as trespass against information, and any trespass or damages against me should be firmly anchored in the land of the real.
"If you truly hold the position you're espousing then presumably if someone takes money from you you'd consider it 'authorised' because you failed to prevent them?"
No, we have laws against theft. What I'm disagreeing with is the unspoken copying <-> theft equivalence. It may also be a pedantic truism, but "copyright infringement" and copying generally are semantically and functionally different from "theft." (Copying: 1+1=2; theft: 1-1=0.) IMHO, it's not necessary to presume that copies themselves need to be restricted on top of the criminal ends (damages, theft of value, etc). In the case of copyright, the case for damages is hypothetical. I'm not saying that's strictly invalid, just that it's not strictly valid either, and so should be taken with more than a few grains of salt.
>It may also be a pedantic truism, but "copyright infringement" and copying generally are semantically and functionally different from "theft." //
Not a pedantic truism by any stretch. Yes I absolutely agree, the tort of copyright infringement is nowhere near the crime of theft. I'd be happy to go with an approximation of "actual damages" in respect of copyright infringement but computer access is about more than just copyright infringement.
We come back, looking at the tort alone in the aaronsw case, to the quid pro quo - JSTOR were potentially set to lose a majority of their income if their entire back catalogue was released for free. On an actual damages basis this tort is huge.
>any trespass or damages against me should be firmly anchored in the land of the real. //
Certainly, however, information can be "held"/known by an arbitrary number of people at any single point in time, whereas money can only ever be held by a single person at a single point in time. That changes the nature of that reality. Value, and therefore damages, are simply not as concrete as is implied by the property analogy.
"On an actual damages basis this tort is huge."
That's for the courts to decide, and the public to rightly question as well.
Yes to gain access to material they are not authorised to access, for example.
>I set curl and wget to spoof a more common user agent, because some things simply don't work otherwise. //
But you know that spoofing a useragent, eg Googlebots, to crawl a domain is unauthorised access. You do.
From what I've read recently Aaron Swartz was quite brilliant. He also appears to have acted morally in attempting to free JSTOR data (IMO a noble cause), but I very much doubt he was so naive as to believe he was acting legally in doing so. It seems to me to require suspension of rational thought to come to this conclusion.
MAC spoofing does really help prove mens rea. Authorisation was restricted to content based on MAC; a person spoofed MACs to gain access, that person knew that spoofing MAC was something that would gain access that wasn't authorised.
An analogy: If someone is offering free samples in the street, you may well be able to get lots of free samples by wearing different disguises, you may even be giving the samples to the needy, but claiming you didn't appropriate those samples by deception (ie fraud) is just lying.