"The new version defines unauthorized access as "the circumvention of technological access barriers," which leaves a much narrower scope for prosecution. It also specifies that changing one's MAC or IP address does not violate CFAA or the wire fraud statute. It's pretty clear Swartz, who was authorized to be on the MIT network, wouldn't be prosecutable under the new law."
Uh, what about the part where he snuck into a network closet and plugged directly into a piece of infrastructure so he could be on a subnet he knew he wasn't supposed to have direct access to? Wouldn't that still be considered unauthorized access? I'd like to think that if someone breaks into my home LAN, they won't beat the rap just because I also happen to run a free open hotspot in an attached VLAN sandbox.
What about the part where he walked into an unlocked closet and plugged into an unsecured Ethernet port, using access to the network he had already been granted? I'd like to think that if I'm walking by your house and connect to your free open hotspot, I'm not committing a felony because you meant to put a password on it.
Clealrly the core network in the closet and the wifi network outside were not equivalent, or he wouldn't have been in there in the first place. He had permission to access the latter, not the former, and the fact that he was hiding his face when he went in there is evidence that he knew he didn't have permission to plug into that layer.
He was escalating his level of privilege by connecting at a deeper level than he had been granted access to.
Anyone who's done networking knows that ethernet and wifi are not equivalent. I'll grant you he was escalating his bandwidth; what is this "privilege" you describe which was neither physical nor technical?
No, I think you're misunderstanding a key part of this: MIT has a layer of defense between their public-access networks (like campus wifi) and their core network. Among other things, that's the layer their antiscraping defenses live in.
The closet router was deeper than that -- inside that layer of defense. Aaron didn't just plug in for bandwidth or permanence -- he did it because it was a trusted subnet that would evade the protections and restrictions MIT places on their public access points.
Ah, noted. Evading rate limiting to a resource you have lawful access to still reads to me as bandwidth, not privilege, but point taken.
But still— unlocked closet, unsecured network, all, we are given to understand, because of a very lenient open network policy. If he was not "authorized" access, what is the authority, and when would the authorization have taken place? It seems a terribly tough row to hoe.
Indeed, I'm finding myself in a strange place in this debate, because I do think that computer crime laws are very vague and extremely harsh, including the ones Aaron was being prosecuted under. But I think Aaron's defenders go too far when they claim he was completely innocent.
Respect; you're a fine devil's advocate. I'll definitely agree what Aaron was doing was cheeky, and anyone could have seen how it could easily get him in trouble with MIT or JSTOR or maybe even the cops. It's just hard to point out what actual part of the law as written was broken, since it looks like he didn't actually circumvent anything that would normally be called security except in the sense of "We didn't think anyone would do that."
Hope aside, I'm trying to address what the bill would actually do, and I don't see how it would have cleared Aaron.
Reread the first line I quoted. What part of the redefinition of "unauthorized access" makes it no longer apply to plugging into a network layer you know you're not authorized to be on, for the purposes of circumventing a technological access barrier like the JSTOR antiscraping system?
Sorry, I misread you as suggesting that because the proposed bill wouldn't affect the closet access that it was an ineffective bill.
In any case, all of the MAC addresses he used were authorized to be on the MIT network until they stopped working without notice. Doesn't the bill now state that changing MAC addresses is not circumvention?
He saying there's two separate things going on when Aaron went into the closet.
1. Trespassing. This is not germane to this discussion though.
2. Unauthorized circumvention of a technological measure (i.e. deliberately hooking up to a trusted subnet to evade the blocks that had been place on his previous network access)
Aaron would very well still have been in violation of even the proposed law, as worded now.
Well, to be fair, trespassing law is complicated. If there's a sign like "NO TRESPASSING" or "WELCOME" it's pretty clear-cut, but otherwise, there's several centuries of case history that comes into play, ultimately boiling down to which of the two signs above was implied by the surrounding objects and circumstances.
It's hard to know whether his presence in the closet legally counted as trespassing or not, but from my understanding (and the fact that he wasn't being prosecuted for it), I don't think it applied here.
>I'd like to think that if someone breaks into my home LAN, they won't beat the rap...
Burglary is already against the law. I might suggest that you don't leave any conspicuous ethernet jacks in your front yard where passers-by might be tempted.
Or what if you run a university, or a library, or a restaurant, or a B&B, or anything else where members of the general public are welcome to visit, but not necessarily granted full permission to do anything they want?
I'd say that if you operate any of those entities and leave unprotected (to such a degree) access to anything important enough to actually deserve a felony rap, then you are negligent to some degree. What's wrong with the civil courts for such things?
I'm more interested in how the rewording from "unauthorized access" to "the circumvention of technological access barriers" holds any substantial practical difference. It gives the defense a leg to stand on by specifying "technological" access barriers and their "circumvention," and the amendments also exclude ToS violations as barriers. But what's to stop a prosecutor from arguing that unrelated technological barriers were in place elsewhere, and the fact that a defendant didn't encounter these (technological) barriers still constitutes circumvention? I guess there'd be a big fight over "circumvention," but IANAL so perhaps it's all moot.
I also don't understand how "changing one's MAC or IP address [in order to circumvent] 'technological access measures'" doesn't constitute a violation in principle, even if their proposed bill decides to whitelist those two behaviours notwithstanding other portions of the bill.
> I also don't understand how "changing one's MAC or IP address [in order to circumvent] 'technological access measures'" doesn't constitute a violation in principle
It is a violation in principle; the real world equivalent would be having a posted picture saying "DO NOT ADMIT THIS MAN INSIDE" but Aaron walks up wearing a ridiculous faux mustache and gets admitted anyways.
IMHO it's explicitly whitelisted not because of the principle, but because it's the behavior Aaron employed that they're trying to make legal in the future.
1) CFAA should have been scrapped entirely and a new law written, this time in good faith, and actually taking into account the technology of the first decade of the 21st century. This law should keep an open path to sensible application for at least a few decades to come.
2) This is unlikely to pass as-is when corporate interests haven't put their fingers into the pot yet.
A little OT, but if you read the PDF of the bill [1], you can see that the way in which they go about updating laws is the equivalent of a hand maintained, text based version control system. Every object (text lines) is uniquely identifiable by page and line number (a hash), and modifications are in the form of additions or strike outs to these lines (deltas). If you get the original bill and follow through all the subsequent modifications you could even build a version control tree! Neat.
This has actually been criticized before because it's prone to being mis-applied at times.
E.g. there have been times when new legislation was first added to U.S. Code not as a new section, but as a bunch of deletions/additions that make it very hard to tell what the end result is supposed to look like.
However if you find that neat you may also find it neat how they end up placing these bills passed into law into the legal code. It's done manually just as you say, but the ones doing the work sometimes notice issues which they footnote (e.g. I've seen a lot of "foo was probably meant instead of bar" footnotes).
> This has actually been criticized before because it's prone to being mis-applied at times.
>E.g. there have been times when new legislation was first added to U.S. Code not as a new section, but as a bunch of deletions/additions that make it very hard to tell what the end result is supposed to look like.
Ha! Typical, at some point politics had to show it's ugly head :) I thought that eventually some sort of consolidation took place (a release, if you will) and then subsequent modifications were based off of that one.
Yes, occasionally a group of existing law will be assembled together and approved as a block (this is how the U.S. Code is formed), and then they can tweak with USC from there directly.
Other times they pass the law and it just kind of floats out there, in the "Statutes-at-Large" until some poor legislative assistant decides to/gets told to go consolidate the groups back into appropriate titles of USC (which requires another bill in Congress).
Even when you're making a law which is basically just a diff to the U.S. Code though, the various interactions of each of the changes can be difficult to discern the real meaning of. But on the other hand it's nice to be able to simply fix the broken part of a law without having to do a full rewrite.
I'm having a lot of trouble following all this media storm due to the Swartz suicide. The guy obviously did something illegal against a very big organization. It could not come as a shock to him the consequences would be severe.
And yet, when caught he commits suicide. And now he is a martyr... Can you imagine the pain his family is in right now just because this guy had to commit illegal acts and couldn't pay for his crimes?
The problem is not the law, the problem is the attitude that in the administration of criminal justice that the ends justify the means.
The government has long believed it has the power to do whatever it wants to secure whatever end it deems good for the people.
We saw it in the 30s with Olmstead, in the 50s with the FBI under Hoover and the House Committee on Unamerican Activities, in the 60s with COINTELPRO and use of FBI resources to disrupt the civil rights movement, and in our current time with the war on terror, the use of torture, drones, body scanners, and in the prosecutorial realm with mandatory minimums, etc.
Ortiz is not a bad apple, she is amongst the best and brightest of the US DOJ. You can tell from her other cases that she is extremely clever about using the resource of the government to bully the weak and advance the interests of the powerful.
Let me repeat, she is not a bad apple, she is the best the system can produce and what it aims to produce. It is not a law that needs changing but an attitude. The foul stench of the holier than thou zealotry starts at the top and permeates its way throughout the entire system.
It's the elected nature of judges and prosecutors that is the main problem - to much emphasis on news worthy cases to get elected and not on applying the spirit of the law.
No Judge or Prosecutor should ever be elected its just to dangerous and to make a start I suggest that supreme court Justices should have a minimum of at least 20 years experience as a Judge - not as one recent one zero experience being just an academic lawyer.
Federal prosecutors (like Carmen Ortiz) are not elected. Carmen Ortiz was appointed by President Obama in 2009. The rest of the prosecutors in her office were hired as part of the civil service system and are insulated from politics.
Federal judges (like the judge that was hearing Aaron's case) are not elected; they are appointed by the President and confirmed by the Senate. Same for Supreme Court justices; you may remember Justice Sotomayor being appointed by President Obama and being confirmed by the Senate. Given the way that politics are, it's unlikely that a judge with 20 years of experience will be appointed to the Supreme Court: over a 20-year career as a judge, they will have inevitably made a controversial decision that the "other side" would fairly/unfairly pick apart.
Ah sorry I was confusing this with District attorney.
The point about Judges or prosecutors being not selected because they have pissed off one side or the other stands - I think the UK system is safer as it mush harder for politicians to block or influence.
I believe he's saying they shouldn't be allowed to run for public office in the future. Once a prosecutor, always a prosecutor. Remove any incentive to bend the justice system to future ambitions.
The plea bargain was made legal in 1970[1] by the Supreme Court, is there any way to overturn it? What kind of implications would this have? Did the judges then have the foresight to realize that over 90%[2] of federal court cases would be concluded with plea bargains?
Why would you want to abolish the plea bargain? Generally speaking, contracting someone's choice set makes them worse off. (Here, the choice to take a known loss rather than roll the dice at trial -- the same kind of choice you make when you buy insurance.)
The problem, rather, is that prosecutors can credibly threaten to convict with such severe prison sentence that your best option is take an oppressive plea deal. Abolishing plea bargains doesn't help that; if anything, it makes the problem worse by sealing one relief valve in the whole process.
OTOH, there is something to be said for "DDOSing" the archaic justice system by collectively forcing all cases to go to trial, something others have proposed. But you just need enough committed accuseds to do that, not a new law.
Governments simply don't have enough money to try every case or enforce every maximum prison term. If the plea bargain was eliminated, prosecutors would be forced to prioritize a great deal more. Moreover, for better or worse, every single defendant accused would receive their day in court, as opposed to being forced to gamble with the years of their life, even if they are innocent or the crime is a minor one.
Abolishing the plea bargain would by no means fix the broken system, but it would be a good start.
If you could make every parent in the world unable to pay a child's ransom, wouldn't you? A harmful choice is necessary for coercion, or in the legal sense, menacing.
Has anyone ever tried countersuing the DoJ once presented with a plea bargain. Given the numbers behind plea bargaining and conviction rates, it seems like you could convince others of the cruel and unusual nature of plea bargaining. Given the odds it's definitely unfairly coercive.
Uh, what about the part where he snuck into a network closet and plugged directly into a piece of infrastructure so he could be on a subnet he knew he wasn't supposed to have direct access to? Wouldn't that still be considered unauthorized access? I'd like to think that if someone breaks into my home LAN, they won't beat the rap just because I also happen to run a free open hotspot in an attached VLAN sandbox.