Apr 112013
 

The Computer Fraud and Abuse Act is no stranger to these pages.  The tragic suicide of Aaron Swartz at the beginning of the year following the relentless pursuit of the Department of Justice against him for his downloading of the JSTOR archive has galvanized a reform movement to overhaul – or at least ameliorate – some of the most troublesome provisions of the CFAA.

One such provision can be found at 18 U.S.C. § 1030(g), which creates a civil cause of action for a party claiming to be aggrieved by the purported wrongdoings described in subsection (a).  While civil causes of action are generally beyond the scope of this blog, having a civil cause of action buried in a statute designed to enable criminal prosecutions can be problematic for defendants facing the latter because the civil litigation, as it explores the contours of the statute and its internal definitions, tends to leave in its wake precedent that prosecutors can later use.  Which is unfortunate, because how the statute may be interpreted in a civil context — which inherently can only reflect the particular dynamics of the particular civil dispute between these particular private parties — reshapes how the statute will be interpreted in a criminal context.  Especially with a law like the CFAA, whose language always tempts excessive application, these civil precedents can vastly expand the government’s prosecutorial power over people’s technology use, and easily in a way Congress never intended.  One should also never presume that the outcome of a civil dispute correlates to a result that is truly fair and just; miscarriages of justice happen all the time, often simply because it is often so difficult and expensive to properly defend against a lawsuit, especially one asserting a claim from such an imprecisely-drafted and overly broad statute like the CFAA.

The reality is that plaintiffs often abuse the judicial process to bully defendants, and that brings us to the second subject of this post, Prenda Law, which is currently being exposed, judicially and publicly  as one of the biggest bullies on the block.  But why should we care here?  Because although Prenda has most notoriously exploited the Copyright Act for its legal attacks, it has also showed itself ready, willing, and able to abuse the easily-abusable CFAA in order to enrich itself as well. Continue reading »

Feb 202013
 

At an event on CFAA reform last night I heard Brewster Kahle say what to my ears sounded like, “Law that follows technology tends to be ok. Law that tries to lead it is not.”

His comment came after an earlier tweet I’d made:

I think we need a per se rule that any law governing technology that was enacted more than 10 years ago is inherently invalid.

In posting that tweet I was thinking about two horrible laws in particular, the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA). The former attempts to forbid “hacking,” and the second ostensibly tried to update 1968’s Wiretap Act to cover information technology. In both instances the laws as drafted generally incorporated the attitude that technology as understood then would be the technology the world would have forever hence, a prediction that has obviously been false. But we are nonetheless left with laws like these on the books, laws that hobble further innovation by how they’ve enshrined in our legal code what is right and wrong when it comes to our computer code, as we understood it in 1986, regardless of whether, if considered afresh and applied to today’s technology, we would still think so.

To my tweet a friend did challenge me, however, “What about Section 230? (47 U.S.C. § 230).” This is a law from 1996, and he has a point. Section 230 is a piece of legislation that largely immunizes Internet service providers for liability in content posted on their systems by their users – and let’s face it: the very operational essence of the Internet is all about people posting content on other people’s systems. However, unlike the CFAA and ECPA, Section 230 has enabled technology to flourish, mostly by purposefully getting the law itself out of the way of the technology.

The above are just a few examples of some laws that have either served technology well – or served to hamper it. There are certainly more, and some laws might ultimately do a bit of both. But the general point is sound: law that is too specific is often too stifling. Innovation needs to be able to happen however it needs to, without undue hindrance caused by legislators who could not even begin to imagine what that innovation might look like so many years before. After all, if they could imagine it then, it would not be so innovative now.

Jan 292013
 

In 1998 the Digital Millennium Copyright Act amended U.S. copyright law in a few key ways.  Of most relevance here is the additions it made to 17 U.S.C. §§1201 et seq., which includes the provision:

“No person shall circumvent a technological measure that effectively controls access to a work protected under this title.”  §1201(a)(1)(A)

If one does, they can be liable for damages, §1203(c), or, more saliently for this blog, fines of $500,000 and/or 5 years imprisonment for the first offense and $1,000,000 and/or 10 years for subsequent ones.  §1204(a).

The question here is, why?

Continue reading »

Jan 212013
 

The 13-count superseding indictment (now dismissed) against Aaron Swartz basically boiled down to two major complaints: he accessed a computer system, and then downloaded files, without permission to do either.

It was not completely unprecedented in the pre-digital age to penalize acts that at their essence were about doing something without permission. Trespass, for instance, can be criminally prosecuted if someone has entered another’s real property without their permission. But (per the Model Penal Code § 221.2) it is typically prosecuted as a petty misdemeanor, commensurate with the negligible resulting harm. In instances where more serious harm resulted, a harm that could be properly measured in real word dimensions, such as the deprivation or destruction of real or immovable property, then a separate crime could be charged, such as theft – one targeted to address that violent sort of outcome. But even in those cases the crime and its commensurate penalty would hinge on the resulting harm, not the underlying lack of permission (see, e.g., Model Penal Code explanatory note §§ Sections 220.1-220.3). On its own, merely doing something without permission has not been something US law has sought to punish with serious charges carrying lengthy prison sentences.

In Aaron Swartz’s case, however, while his actions, even if true as alleged, resulted in no more measureable harm than an ordinary trespass would have, he was nonetheless charged with multiple felonies.
Continue reading »

Jan 142013
 

This weekend’s news about the death of Aaron Swartz is a cogent reminder of what this project is about. Aaron was a gifted contributor to the tools and values that make the Internet the extraordinary medium it is, impacting everything from the RSS standard to the Creative Commons licensing system and more. From all accounts he was on a constant quest to free humanity’s knowledge and make it accessible to anyone who wanted or needed it.

These actions challenged the status quo, however, and the status quo fought back. For those who treat knowledge as a currency that can be horded, acts to free it are seen as a threat. Unfortunately for Aaron, those people have power, and they wielded it against him. Furthermore, and most saliently for this project, it happened not through private actions, but by leveraging the power of the state to pursue and criminally prosecute him for his efforts.

Fortunately for Aaron he had competent counsel able to help defend him against the charges laid at his door. For all too many in similar positions as Aaron such counsel isn’t always available, which is a big reason why this project exists. It’s important that there be counsel ready and able to understand both the technological nature of the criminal act alleged and the nature of the crimes charged in order to properly defend them. It is very easy, as we see with this case, for a prosecutor to throw the book at a defendant for having done anything with technology outside of the norm, regardless of whether that technology use really deserves such a sanction, or even any sanction at all.

But having counsel isn’t enough. These prosecutions are backbreaking and bankrupting, and even if the defendant is ultimately acquitted the mere persecution will have already extracted a punitive toll from the defendant. In Aaron’s case he was looking at defense costs and fines in the millions of dollars, and the specter of years if not decades of imprisonment. Who among us could bear such a fate looming over them without their lives being fundamentally altered?

Thus the parallel purpose of this project is to help advocate for better legal policy, so that we don’t empower the state to punish our innovators for innovating. The disruption they spawn, though perhaps painful for incumbents who liked things as they were, are necessary in order to have a future that benefits everyone.

Jan 112012
 

A word about “hacking.” Hacking is a word often colloquially misused to describe the unauthorized access of a computer system. Among self-described hackers, however, the correct term to describe such behavior is “cracking,” as in “safe cracking.” “Hacking” instead describes a far more neutral, or even beneficial activity: the creative problem solving involved in engineering a solution. (Links point to Eric Raymond’s Jargon File.)

It would greatly assist policy discussion to keep these terms clear, particularly given the interest in criminalizing the unauthorized access of computer systems. Associating the activities of hacking with the more pejorative definition loses nuance and tends to lead to the criminalization of more benign, even objectively good, technology uses.

Thus this site will endeavor to use the correct term as much as possible. But when citing other media it may necessarily parrot whatever word was used, however incorrectly.

Edit 2/20/13: I’ve realized I’m shouting into the wind on this issue. “Hacking” is too colloquially accepted to describe all sorts of innovative applications of technology, good and bad, to ever completely avoid. But I will remind others that the term does indeed describe both good uses and bad uses and should not be presumed to be a pejorative.

Dec 292011
 

Paul Marks has a fascinating article at The New Scientist about an old example of hacking.

LATE one June afternoon in 1903 a hush fell across an expectant audience in the Royal Institution’s celebrated lecture theatre in London. Before the crowd, the physicist John Ambrose Fleming was adjusting arcane apparatus as he prepared to demonstrate an emerging technological wonder: a long-range wireless communication system developed by his boss, the Italian radio pioneer Guglielmo Marconi. The aim was to showcase publicly for the first time that Morse code messages could be sent wirelessly over long distances. Around 300 miles away, Marconi was preparing to send a signal to London from a clifftop station in Poldhu, Cornwall, UK.

Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of “diddling the public”. Their demonstration had been hacked – and this was more than 100 years before the mischief playing out on the internet today. Who was the Royal Institution hacker? How did the cheeky messages get there? And why?

There are a lot of lessons in this tale of use for us today. Continue reading »

Dec 102011
 

A key case involving the Computer Fraud and Abuse Act will be heard by an en banc panel of the Ninth Circuit Court of Appeals on Thursday.  More will inevitably said about this case, this law, and the underlying policy to define, deter, and punish “hacking,” but for the moment, this article provides a good summary of the salient issues from the upcoming hearing: “When Computer Misuse Becomes a Crime,” Ginny LaRoe, The Recorder, Dec. 9, 2011. (h/t @Dissent)

Dec 082011
 

From the Detroit Free Press, Leon Walker is facing a five-year felony charge after accessing now-ex-wife Clara Walker’s Gmail account to see whether she was having an affair.  A 1979 Michigan law prohibits accessing a computer system without consent.

Walker and his attorneys, Leon Weiss and Matthew Klakulak, said the law was never intended for domestic matters, but was designed to prevent identity theft and the theft of trade secrets.

Earlier this year, the attorneys asked the appellate court to throw out the charges. On Tuesday, three appellate judges peppered Klakulak with questions, asking why Walker’s actions weren’t unlawful hacking.

Klakulak said the law was “ambiguous” and wasn’t intended for “ridiculously innocuous conduct” like peeping at a family member’s Gmail account.

But judge Pat Donofrio said Walker’s actions appear to fall squarely under the law the way it was written.

“Your client is being charged with securing intellectual property — her e-mail, accessing her intellectual property,” he said.

Klakulak also argued legislators never intended the law to be used for snooping spouses and that if it’s used as such, it could criminalize activities such as parents monitoring their children’s online activities.

Dec 052011
 

Recently it appeared the fear of a foreign hacker penetrating the online systems of American infrastructure had been realized with news that a Russian hacker had attacked and disabled a pump in an Illinois water system.  These fears have now been shown to be misplaced: the supposed “hack” was a login by an engineer traveling in Russia at the time he was requested to perform some work on the system, and the pump broke down on its own, unrelatedly, months later.

Vulnerabilities of public infrastructure are not an idle concern.  The Stuxnet virus, which specifically targeted nuclear facilities in Iran, illustrates that infrastructure can be a compelling target and quite feasible to affect if those systems are not properly protected.

But the water system “hack” shows that proper protection of infrastructure — and, accordingly, any law intended to advance this — needs to be done carefully, with clear understanding of the actual threat and competent engineering not prone to panicked histrionics.  From the BBC article about it:

“Nobody checked with anybody. Lots of people assumed things they shouldn’t have assumed, and now it’s somebody else’s fault and we’re into a finger-pointing marathon,” wrote Nancy Bartels.

“If the public can be distracted from the issue of how DHS and ISTIC fumbled notification so badly, then nobody will be to blame, which is what’s really important after all.

“Meanwhile, one of these days, there’s going to be a really serious infrastructure attack, and nobody’s going to pay attention because everyone is going to assume that it’s another DHS screw-up.”