>The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
Seems pretty reasonable. There will be arguments over what exactly qualifies but it provides a clear guideline / reasons where someone at the DOJ can not charge someone with good reason.
It hopefully side steps some of the "what even is hacking / a security breach / dude just opened browser dev tools ..." type questions where they can look and say "He notified them of the issue, I don't think this was in bad faith." Now you're all out of those other weeds.
If anything hopefully this provides a good example to trickle down to other law enforcement agencies.
But this is just a policy clarification and not a change to the text of the CFAA itself. Policy is not law and there can be arbitrary exceptions and even complete reversals of policy with a change in power.
This was a constant PITA while I was on an H1B and while not changing the laws, they kept on changing exactly how they interpreted everything.
My lawyers told me also to not use government benefits while on a Green Card, because even though it's probably ok and won't harm my chances at citizenship they may change how they interpret it later down the road and even though I was in the clear when I got the benefits it might as well become a showstopper later on.
Yes, this is one of the drawbacks of Congress delegating broad swaths of authority to regulatory agencies… there is no protection from ex post facto changes.
In the abstract, arbitrary enforcement of the law is a serious threat to democracy. I completely agree, the law needs to be amended. Unfortunately Congress doesn't seem to act unless it's in the interest of their megacorp donors.
On the other hand, airtight enforcement of all laws is a serious threat to liberty. Laws are imperfect and prosecutorial discretion is an important safety mechanism to prevent people in odd edge cases (which it turns out, are common) from getting unjustly maimed by the legal apparatus. Adjusting laws is also part of the process, but that is a slow process (another safety mechanism.)
> … prosecutorial discretion is an important safety mechanism to prevent people in odd edge cases … from getting unjustly maimed by the legal apparatus.
I agree, but there needs to be a mostly-automatic mechanism whereby repeated exercise of this discretion affects the law itself, so that you don't create the opposite problem: people getting unjustly maimed by the legal apparatus because a prosecutor decided to use their "discretion", for whatever reason, to enforce an obsolete law which was still on the books even though it's almost never enforced. (Because legislators apparently have better things to do than repeal old laws which aren't affecting hardly anyone.)
A law which consistently goes unenforced should eventually become unenforceable, not remain discretionary. Consider this an application of the estoppel principle: If you choose not to enforce the law in cases A, B, and C, you shouldn't be able to later try to enforce it in case D without showing that there is some substantial difference between D and the first three cases.
Mandatory sunset clauses would be another good idea, along with a requirement that the entire bill, along with any external documents incorporated by reference (e.g. building codes), must be read into the official record with a quorum of the legislature present before it can be passed or renewed.
To give an example, the UK has passed seventeen "Statute Law (Repeals) Acts"[0] since 1969, the most recent[1] being in 2013, which repealed the whole of 817 Acts of Parliament, and portions of more than 50 others (on the advice of the Law Commission[2]).
> Mandatory sunset clauses would be another good idea, along with a requirement that the entire bill, along with any external documents incorporated by reference (e.g. building codes), must be read into the official record with a quorum of the legislature present before it can be passed or renewed.
This is one of the most sensible things I've heard proposed that will never work. (I'm saying that, if laws are so complicated that no human can learn them well enough to keep themselves in compliance without assistance of a compliance department, or so complicated that even the people who are directly responsible for them cannot be bothered with being made aware of the details and double checking that they still make sense on a somewhat regular basis... then they are too complicated.)
I think it will never work because complex things are complex for a reason on the balance, and because we're already "too deep to dig ourselves out of this hole." But in principle I agree wholeheartedly with this idea.
Where do you get that anyone wants to strip anyone's rights away from within this conversation?
We're talking about laws, which generally bind individuals to certain behaviors. Laws do not make rights as far as I'm aware (and IANAL), they are "God-given." At least in US legal tradition, as I understand, the default position of the law is that you are allowed to do anything which does not infringe on anyone else's enumerated rights, and laws can only bind you from doing things which you would otherwise be free to do in the absence of those laws.
If the laws which bind our behaviors are so complex they cannot be read aloud in their totality in any practical time period then how is anyone (let alone anyone whose profession is not "the law" or acting in legislature) ever to be expected to understand them as a whole? (Especially when certain laws have traditionally gone unenforced, to borrow from the original context of this thread.)
The law should be possible to understand. That is a decent aspirational goal. I'm not sure what you think I meant but it's not what you said.
> people in odd edge cases (which it turns out, are common)
Common in this case because the CFAA is often used not as an enforcement tool, but as a way of silencing critics, stifling scrutiny or just in general saving face.
> airtight enforcement of all laws is a serious threat to liberty
Only because "all laws" now includes all manner of micromanagement of people's lives by the government. The proper way to fix that problem is to stop the micromanagement by repealing all of those laws, not by making the micromanagement discretionary. Nobody complains about "airtight enforcement" of laws against, for example, murder. In fact, the common complaint about those laws--i.e., laws that actually encode a prohibition against an obvious crime--is that they do not get the airtight enforcement that they should get--because law enforcement and politicians are too preoccupied with all of the micromanagement to just do their basic job of protecting people's basic rights.
People complain about lack of discretion with murder - that's why we have multiple degrees, and it's a matter of discretion (by many parties) which was committed.
Discretion is fundamental to the legal system. Any system that doesn't allow discretion is going to be a disaster - the world is complex, there's always nuance. It also leads to abuse, but I reject the idea that strict enforcement would solve abuse - but you've basically said "some laws" are bad laws so it's hard to say.
I suspect you're just saying "government should stay out of everything, that way people are free", and you're ignoring the fact that in a system like that no one's stopping a bunch of assholes from shitting on everyone else because it's not illegal.
> People complain about lack of discretion with murder
I don't think people complain about lack of discretion with murder. I think people complain about too much discretion: obvious murderers are allowed to go free because of technicalities or political influence.
> that's why we have multiple degrees, and it's a matter of discretion (by many parties) which was committed.
No, it's a matter of discretion which gets charged, in the sense that the prosecutor cannot be forced to bring one particular charge or another; it's the prosecutor's choice. But in most cases, which charge best fits a particular set of facts should not be difficult to determine. And in a sane legal system which only focused on protecting basic rights instead of trying to micromanage everything, it wouldn't be.
> Discretion is fundamental to the legal system.
Discretion in rare edge cases is fundamental to the legal system. But as I commented elsewhere in this thread, if the need for discretion is common, then we aren't talking about edge cases; we're talking about a legal system that has gotten out of hand.
> I suspect you're just saying "government should stay out of everything, that way people are free"
I have no idea where you're getting that from since I explicitly said the government's basic job is to protect people's basic rights.
> I don't think people complain about lack of discretion with murder. I think people complain about too much discretion: obvious murderers are allowed to go free because of technicalities or political influence.
Discretion is literally built in ie: intent, malice, negligence, etc - these are all subjective judgments that I think any sane person supports. Accidentally killing someone should be treated very differently from planned murder - and we use subjective judgment to determine the case.
> No, it's a matter of discretion which gets charged, in the sense that the prosecutor cannot be forced to bring one particular charge or another; it's the prosecutor's choice. But in most cases, which charge best fits a particular set of facts should not be difficult to determine. And in a sane legal system which only focused on protecting basic rights instead of trying to micromanage everything, it wouldn't be.
First off, no, it is not the prosecutor's sole discretion. Obviously the prosecution (which is many people who form a consensus) brings the charges, but the defense may attempt a plea for a different charge, and the judge will instruct the jury on how to determine a conviction. Discretion is fundamental to the entire process, as it should be.
Second, notice that you're already saying things like "in most cases" ie: things are not 100% one way or the other.
> Discretion in rare edge cases is fundamental to the legal system. But as I commented elsewhere in this thread, if the need for discretion is common, then we aren't talking about edge cases; we're talking about a legal system that has gotten out of hand.
Discretion is already selectively applied. Not every case goes to a jury. We have different types of discretion, like civil law or arbitration. What no one is asking for is less discretion. "Zero tolerance" black and white policies are pretty much a disaster.
> I have no idea where you're getting that from since I explicitly said the government's basic job is to protect people's basic rights.
Maybe you should come out and say what those basic rights are and are not?
> these are all subjective judgments that I think any sane person supports
They are legal judgments that in the end, if the case goes to trial, get made by juries. They are only "subjective" in that no person can truly see inside the mind of another, so everyone has to make their best judgment based on what they can see.
That's not at all the same as law enforcement selectively enforcing micromanagement laws--my usual go-to example is laws against speeding. Nobody even pretends that enforcement of speeding laws is a reasonable use of discretion on the part of law enforcement: enforcement is based on using such laws as a revenue source. The CFAA is the same kind of thing: as I asked in another post upthread, since fraud is already illegal, why should using a computer to commit fraud be any different from committing fraud some other way? Why not just enforce the laws we already have against fraud?
> it is not the prosecutor's sole discretion. Obviously the prosecution (which is many people who form a consensus) brings the charges, but the defense may attempt a plea for a different charge
Again, this kind of "discretion" is not the same as the kind of "discretion" involved in enforcement of micromanaging laws like speeding laws. Obviously each party in the legal process has to make judgments. Prosecutors have to decide what charges the facts they have will support. Defense lawyers have to decide how best to defend their clients given what they know. But in a sane legal system, prosecutors should not be deciding which cases to aggressively prosecute based on political considerations (e.g., how Aaron Swartz was treated), and defense lawyers should not have to decide whether to advise their clients to accept a plea bargain based on how full the court's docket is.
Nor, to get back to the subject of this thread, should prosecutors be deciding whether "white hat" security researchers are committing a crime. That should not even be on their radar. But with the CFAA, it is. And we're supposed to be so pleased that now the prosecutors will be less draconian in making such judgments than they were before.
> Maybe you should come out and say what those basic rights are and are not?
Um, how about the right not to be murdered or defrauded? Do those count?
> They are legal judgments that in the end, if the case goes to trial, get made by juries. They are only "subjective" in that no person can truly see inside the mind of another, so everyone has to make their best judgment based on what they can see.
It's really nuts to me that "legal" And "subjective" are concepts you're trying to draw a hard line between. Of course all legal judgments are subjective - that is both obviously inherent as well as being a desirable feature. Yes, you nailed it, the jury system does indeed require a judgment based on the information as it is presented to them...
> Nobody even pretends that enforcement of speeding laws is a reasonable use of discretion on the part of law enforcement: enforcement is based on using such laws as a revenue source.
I mean, how does this support your case? Speeding laws are extremely black and white, there's very little legal discretion, the discretion is in terms of enforcement ie: are you getting pulled over. But it's not like you sit in front of a jury and present the facts, it's much closer to what you seem to be advocating for - a system with less human intervention.
> since fraud is already illegal, why should using a computer to commit fraud be any different from committing fraud some other way? Why not just enforce the laws we already have against fraud?
For like a million reasons lol I feel like this is just "I have no idea how the legal system works, but in my mind this whole thing is so simple, why not simply apply the law objectively?".
I mean god I don't even know where to start. Different types of fraud are going to have jurisdiction in different agencies. We fundamentally require different agencies because we have a federal and state legislature (and many other very good reasons) - so I guess if you want to remove states and "simplify" things, maybe you could start moving towards a single "fraud" construct?
There's also expediency and practicality, but that's more nuanced and I feel like if I have to explain "there's a federal and a state government" we shouldn't jump into how a law is made.
> But with the CFAA, it is. And we're supposed to be so pleased that now the prosecutors will be less draconian in making such judgments than they were before.
Multiple things can be true. The CFAA is broad and shitty. Also, the legal system is not some simple thing where you can just "objectively" enforce the law, nor should it be. If you want to say "the CFAA is overly broad" ok, cool. If you want to say "this isn't a good thing because this is just a policy, not a change in the law", ok sure.
But saying "We should have a singular objective definition of fraud" and acting like that's simple or achievable is plain naive, and this whole discretion argument almost feels irrelevant.
At this point I don't think you even know what you're trying to say, I'm gonna disengage. I would suggest you disentangle your points since it seems like you're trying to say a lot of different things.
Good, then we're in agreement on my basic point: that the CFAA is bad law. That means the best way to fix the root problem with the CFAA is to repeal it because it's bad law, not try to patch it. As I have pointed out at various points in this overall thread, we already have laws against fraud. All we need to do is apply them to fraud committed using computers. We don't need a whole new set of laws just for fraud committed with computers.
> At this point I don't think you even know what you're trying to say
> Nobody complains about "airtight enforcement" of laws against, for example, murder.
Even then, there is prosecutorial discretion. There are all kinds of edge cases, like brainwashed/abused accomplices, and the gray areas between murder, manslaughter, and self defense, or between different degrees of murder. It's easy to say all the real murders should be charged as such, but which are those? Just about any homicide could turn into a murder trial, if the prosecutor were so inclined, but not all of them should turn into a murder trial.
If they're common, they're not edge cases. The whole point of having prosecutorial discretion for edge cases is that such cases should be extremely rare. If they turn out to be common, it's a sign that the whole system of law has gotten out of hand, not that some boundaries need to be tweaked.
Any rule applied across 300 million people is going to have edge cases regularly - maybe even weekly or monthly - that need to be investigated and decided on.
That makes it ‘common’ but also not worthwhile to spend months updating the code on if they are each different issues.
> Any rule applied across 300 million people is going to have edge cases regularly
The rule against murder is applied across 300 million people and very rarely has edge cases. The same goes for the rule against fraud, which is more to the point for this discussion (see below).
The problem is that most of the "rules" that are applied across 300 million people are not straightforward rules like the ones against murder or fraud, but micromanaging rules like the ones in the law that is the subject of this article. The law itself is silly: fraud is already a crime, why should fraud using a computer be any different from any other kind of fraud? If we just had the simple rule against fraud, it would be obvious that "white hat" security testing of computer systems is not fraud and is not a crime, and we wouldn't have all the edge cases that make enforcement of this law such a mess. The only reason the edge cases are so common is that the laws are not written to embody simple straightforward rules against obvious crimes that everybody can recognize; they are written to embody complex, byzantine rules that have evolved over time because people have the mistaken belief that giving more power to the government can solve problems. But actually, as the old joke about regular expressions goes, when people try to use the government to solve a problem, now they have two problems.
> Murder has, like tons of edge cases, as reviewing almost any jurisdiction’s criminal homicide laws will reveal.
In other words, you're saying that even what should be fairly simple laws have been overcomplicated by our byzantine legal system, so that prosecutorial discretion can be abused even for them. I don't disagree, but I don't see how it contradicts my basic point.
> In other words, you're saying that even what should be fairly simple laws have been overcomplicated by our byzantine legal system
No, I’m saying that operationalizing fairly simple moral principles into forms suitable for enforcement as laws is inherently messy, and that the examples you cited of it's potential simplicity, in fact, are examples that demonstrate the very complexity you held them up as lacking.
> operationalizing fairly simple moral principles into forms suitable for enforcement as laws is inherently messy
Assuming that I agree with this (at least for the sake of argument), it still misses my point. My point is that most laws--and the CFAA is an example--are not "operationalizing fairly simple moral principles into forms suitable for enforcement as laws". As I have pointed out several times now at various points in this overall discussion thread, we already have laws against fraud. Why should fraud that is committed with a computer be any different from fraud commmitted by other means? Having a separate law that makes committing fraud with a computer different from committing fraud some other way is not operationalizing a fairly simple moral principle against fraud. It's making the legal system more byzantine and complex for no good reason. That is what I am arguing against.
No, their point is that reality is nuanced and complicated and in an attempt to be just and non capricious the legal system builds up complexity. But it still requires human judgement.
Huh? Murder and fraud have tons of weird edge cases!
Most jurisdictions even have 3+ different definitions for murder alone (not to mention manslaughter) and a bunch of specialist lawyers to figure it out, and a bunch more lawyers to argue about technicalities!
> Most jurisdictions even have 3+ different definitions for murder alone
In other words, most jurisdictions can't just leave it at a simple common law definition of murder; for example: "At common law, murder was defined as killing another human being with malice aforethought." [1]
This is not a matter of edge cases. It's a matter of the legal system getting out of hand even for what should be basic common law crimes.
Common law uses case law for precedent, which is insanely complicated and requires years of study and decades of active practice to not screw up badly.
We do! The CFAA was literally a reaction to the film WarGames, written in an era where computers were rare and unusual, and very few people had any legitimate reason to access a computer network. It's long past time that it was updated to reflect modern reality and expectations.
But in the meantime, it's great that the DOJ is explicitly denouncing some of the more ridiculous interpretations of the CFAA. No reasonable person would expect that violating a web site's Terms of Service could result in criminal charges, for example.
And those amendments have generally been in the direction of broadening the CFAA even further, like defining a "protected computer" as any computer used for interstate commerce or communication (which could mean any computer, or even a cell phone).
I agree that it's not a perfect solution (there's rarely such a thing in the application of law), but it's a better solution than a single DoJ administration's policy statements.
I don't think anyone is suggesting anything different, only that a change in law would be much stronger effective defense and something to also strive for (despite also not being perfect).
Or at least in the USA, actually seat a "jury of ones peers" rather than random Joes that can barely turn on a computer. For computer related crimes it shouldn't be that hard to find people working in a technology oriented field.
That's a difficult principle to generalize. Surely cops shouldn't get juries comprised of other cops. A lot of professions are known for circling the wagons and protecting their own (and I think tech is not the worst, but certainly not an exception.)
The law interprets "jury of ones peers" differently than that. It specifically doesn't want them to be subject matter experts since each side will bring their own expert witnesses. It instead simply wants them to be ordinary, unattached members of the public rather than judges, prosecuters, politicians, or the victims themselves.
Right, your legal peers are members of the same social class (commoner, aristocracy, royalty), not people who work in the same field. In the US there is only one official social class, so everyone is your peer.
There does seem to be an issue with baseline education standards and the ability of the jury to understand the evidence which they deliberate on, however. To an extent it's the lawyers' job to ensure that the jury understands their arguments, but no reasonable effort from a lawyer over the course of a single trial is going to make up for a lack of basic familiarity with the subject matter, which might normally take years to acquire. There is something to be said for systems which rely on professional jurors rather than random members of the public.
I once asked a friend who litigates patent infringement cases how a jury could possibly come to an informed decision on these cases. He said that it is definitely a challenge but that juries are pretty good at discerning when someone is lying or dissembling and litigators can build cases or defenses around that.
Definitely anecdote and not data, but I found it interesting coming from a litigator in this area.
A jury of one's peers means a random selection of the public. In England the Magna Carta codified this due process protection and it means that noblemen would be judged by other private individuals in their social class instead of by the King's functionaries.
In the abstract, arbitrary enforcement of the law is a serious threat to democracy.
No its not. Prosecutorial discretion is older than the US Constitution. No one expects the police to pull over every driver that is going 36 in a 35, or arrest someone speeding to the hospital, or arrest everyone that fails to return a library book, or arrest every birthday party with loud music after 10.
The police and prosecutors have always had the power to use their good judgment and warn without citing or prosecuting.
Absolutely they should. Fix the speed limits so they are not more or less universally wrong / too low, and then enforce them. Discretion on them is ridiculous, it just means a cop can pull you over and ticket you whenever they want because driving safely, the same speed everyone drives on a given road, is technically illegal.
When unfair laws are enforced uniformly, the sons and daughters of the legislature, or even the legislature themselves become subject to the same laws they create. This applies the necessary pressure to repeal unjust laws. The alternative are laws that are only applied against 'bad people' - as determined through some inscrutable belief system. You should be able to imagine how this can be used to discriminate against entire classes of people.
> No one expects the police to pull over every driver that is going 36 in a 35
Why not? If it's ever OK to pull someone over for 1 MPH over the limit without any other violations, then why isn't it always? Where do you draw the line? Why not codify that instead of the strict limit?
If there is supposed to be discretion, then the law should acknowledge this by not providing a strict limit and requiring that the state prove a case that the driver was being unsafe by traveling the speed they were. If there is a strict limit, then it should be set such that one can reasonably say that it's always wrong to exceed it. Saying it should be strictly enforced for some and loosely for others just leaves room for that discretion to be weaponized.
---
It's also worth noting that at the moment speed enforcement has a much greater impact on the poor than the rich.
For the most part if you can afford to hire a lawyer speeding tickets can be converted in to zero point off-the-record offenses and are then just a fine, and since fines are not scaled by income in this country anyone who has sufficient disposable income becomes effectively immune to them where a person living paycheck to paycheck already who then likely has to take some or all of a day off of work to go to court might be ruined.
Fix that and I could be in favor of strict enforcement as long as it was truly universal. I feel like if everyone was actually forced to obey the posted limit strictly we'd get some progress on killing speed trap towns and fixing the many places where a fast road has been built with an arbitrarily low speed limit that no one ever follows because it's insane.
Laws have always been used to enforce ‘public order’. They’re less capricious than a magistrate just coming up with things at least, but the public in general would be up in arms if they were enforced blindly instead of against ‘problem cases’.
And the public ultimately is the power here, or the ones who decide if a big scene is going to be made anyway.
The difficulty that arises when people in power have the opportunity to use judgement to decide the courses of other peoples' lives is that we regularly see that judgement implement their (entirely human, but unjust) biases. Maybe they let the hot girl run a stop sign, but do an "exploratory stop" on the black dude because he "looks sketchy", escalate to a strip search because of a "odor of marijuana" and leave him with his car disassembled on the side of the road when they don't find anything (assuming nobody catches a beating or a bullet over a miscommunication).
On the other hand, efforts to constrain that power have a tendency to encode societal biases and injustices in law (see mandatory minimum sentences as a prime example), so it's not at all clear what the right compromise is.
Something being old doesn't make it a good thing. Slavery was pretty old, we managed to get rid of that and I don't think we're worse off.
To your point: I'd be thrilled if police officers actually pulled over everyone violating each and every traffic law. It'd make roads much safer and easier to use. As it stands where I live there is no longer any traffic enforcement.
Yep, this is very true. We see this all the time with other agencies. For example, the ATF waffles and changes definitions all the time resulting in felony charges for people who owned something that was previously approved. No reason to believe this is any different. Although it is a step in the right direction - just not a permanent step.
Are they actually reviewed? My understanding is that the agency submits them for review, but doesn't require any action for them to take effect. If congress doesn't like it, they have to submit a joint resolution to overrule it.
The point is, if it were a bill, you'd have to have enough support to make the change, compromise on terms/ammendments, etc. It also means the elected representatives would be held accountable by the voters. As a regulation, they can avoid compromise and most accountability. The regulation would have to piss off the ruling party for the joint resolution to be a viable option.
They do get reviewed by a lot of people. special interests like industry trade groups, businesses, members of the public with an interest, and congressional staffers. Occasionally a Congress person gets involved due to an interest.
Periodically an agency proposes something that stirs up a firestorm, and rarely (but it happens), they do get overridden by Congress.
Usually it’s handled through the public review comment and strategically done strongly worded letters from interested Congress people or committees.
It’s important to keep in mind that these are the second order effects FROM Congress passing a law to create an agency and funding it.
Because the reality is that if the executive waited for approval from Congress or for the solution to a serious issue to be non-controversial, they’d literally never be be able to
do anything at any such agency. They already are dysfunctional enough as-is. If you think requiring sign off from the even less effective organization that is Congress on everything is going to make it better, I have a bridge to sell you.
And as enticing an idea it might be sometimes to have the DEA, ICE, FBI, etc. unable to actually function, they do generally serve a necessary purpose and them completely not functioning is unlikely to result in anything the nation overall would consider ‘good’.
The periodic Gov’t shutdowns help show this to be the case.
The register, with it’s problems, and even when abused (cough Ajit Pai and net neutrality) is still better than what used to happen, which was the agency would just do it’s own internal policy making and keep it secret until they got sued (which isn’t easy to do with sovereign immunity when the agency declares all potential evidence secret!) or Congress started to investigate. Then half the time they’d shred all evidence and deny all wrongdoing.
Congress has also made it clear they have no interest or ability to provide guidance or fine grained clarification on things at the level to actually be able to run an organization the size of the Executive or it’s Agencies. It would also probably be unconstitutional to try.
If you want to see some agencies that conveniently skip things like the Register, look no further than the NSA, CIA, large swaths of the DOD, etc.
IMO, the real issue is the ongoing massive income tax revenue that feeds the machine. It was originally used to fund the world wars, but never dialed back. As long as that giant stream of money keeps going to the Federal Gov’t, it will continue to be used to justify itself and be spent.
It presents strongly in the courtroom for the defense.
Even the worst case scenario of it being revoked in the future, "The jury needs to know the government cannot make up its mind if the defendant committed a crime, or more likely, did not commit a crime."
"Preponderance of the Evidence" is simply going to be tougher when this is handed to the defense.
Orin Kerr is commenting about this on Twitter right now and says pretty clearly that the new policy doesn't create any rights in court; you can use it to try to persuade DOJ not to prosecute, but it's unlikely that you can use it as a defense once they do.
Is this true? Is a valid defense in court "your honour, I'm afraid that while I have broken the law, the prosecution should have ignored it according to their own policies?"
No. The Principles of Federal Prosecution (Title 9 of the Justice Manual) make very clear you can't litigate whether a prosecutor is following DOJ's internal policies - that's between the Assistant US Attorney, the US Attorney, and the Attorney General.
‘It Depends’. It can be a valid defense that the law is not actually prosecuted normally and you’re being singled out. That would require proving however that the prosecutors did actually know of and refuse to prosecute most others.
‘Making an example of someone’ that they happen to catch (and being terrible at catching most people) is still perfectly fine however. So good luck with that.
> It can be a valid defense that the law is not actually prosecuted normally and you’re being singled out.
My understanding is that in the US "singling out" specific criminals is perfectly OK for the prosecution to do (well, legally speaking, I'm not saying it's ethical or won't get them in trouble with voters).
(Again, given you aren't singling them out because of a protected class like race, sex, etc)
Again, ‘it depends’. You’re generally correct, but ‘bills of attainders’ laws (aka targeting specific individuals) along with the ‘equal protection before the law’ clauses make it unconstitutional to target specific individuals instead of classes of behavior, and that is the general theory behind it not being ok to do true selective enforcement (aka Bob gets charged for something Joe does openly all the time).
Like pointed out in a sibling thread though, essentially impossible to prove, let alone get anyone to care about, and useless as a defense unless someone is being stupidly blatant about it.
Ken White (Popehat, a former prosecutor) and Josh Barro had a podcast for several years about the legal travails of the Trump administration, a theme of which might have been "you are never going to win a defense based on selective prosecution, just put it out of your mind."
>"your honour, I'm afraid that while I have broken the law, the prosecution should have ignored it according to their own policies?"
No, but I'm having a hard time finding a reference now :/ You may be able to argue malicious prosecution, in which that may be a piece of evidence. The bar for MP is quite high though.
Another far-fetched strategy would be to argue that, because of the government's inconsistency about how the law is applied, the law itself might be unconstitutionally vague.[0] This is not legal advice, though.
I propose that this issue be affected in a different manner; through legislation to make companies and the executive level personally liable for any and all damages due to breaches, to an extreme level to motivate the companies and people to alter their positions on these matters.
I get that people have this desire to impose their assistance on others by testing and revealing security vulnerabilities, however, how would you like if someone knocked on your door one day and said, "hey, I was checking out all your doors and windows last night while you were sleeping and hacked into your security system, and thought you should know that it's all suuuuuuper insecure." I doubt most of us would appreciate that either.
What we really really dealing with here is an abuse by the companies/services, where they have externalized the cost/risk of security vulnerabilities in lieu of profits and exec bonuses. If they had to internalize the risks/costs through my proposed damages, they would be quite motivated to prioritize even paying for white hat pen testing type activities, or even just opening up avenues for reporting and rewarding.
1. There isn't a single country in the world that does not use policy as the cornerstone of day-to-day governance, procedure, and enforcement.
2. There can be arbitrary changes to law too, with a change in power.
You have numerous forms of redress when you feel that policy is incompatible with law. You can ask the agency in question. You can ask a legislator to pressure the agency. You can ask a legislator to write an explicit law. You can take the agency to court. You can elect an executive that can lay down policy requirements on their subservient agencies.
There's a very unfortunate political meme in this country, that frequently repeats the lie that policy (executive or otherwise) is not the product of elected government. Like any magical spell, if repeated loudly, and frequently enough, I suppose its disciples might will it into being.
When you don't like how the state's prosecutor's office works, in this country, you can elect a new head prosecutor, who will make changes in their department. When you don't like how the federal prosecutor's office works, in this country, you can elect a new executive. All of these agencies under thus, under direct democratic control.
> 2. There can be arbitrary changes to law too, with a change in power.
Arbitrary changes to law aren't retroactive in general. If you did something in the past that has later become illegal, you can't be prosecuted.
The same doesn't apply for policy changes.
There is no prohibition on the legislature passing civil ex-post-facto laws, only criminal.
Agencies can only enforce ex-post-facto policy changes if congress explicitly authorized them to.
... Also, as Matt Levine points out, executive agencies are prohibited by law from making capricious and arbitrary policy changes. Congress is not bound by any such restrictions - it can pass legislature that is as capricious and arbitrary, and as completely devoid of public input as it likes.
Sure, this isn't a revised law, considering how hard that is to pass today, but it is a useful piece of official text from the highest law enforcement body of the land that should be taken to indicate what the government considers acceptable behavior. Proving you were abiding by what the government declared permissible is a pretty solid defense.
There's so many cases of that. So many cases, it's the typicallest thing the first thing a clever kid who sees a glitch--supposing he's a good kid, I was--wants to do is tell the people who made it to make it better. It happened to me with Banco Estado, we were two OK remarkably smart guys but still, we were just shooting the shit on the subway none of this secret conversation on Signal business, and I said: hey Chilean banks have tiny tiny passwords, like pitiful. Might as well be one digit, like in the Little Rascals when the kid dressed up like an adult is asked for his bank number, he says "seven". Then tries "8". From the computer perspective, it is one digit.
And we spent one minute joking how trivial it would be to rob the bank, but since then I just felt bad. It's the only account you can get for free in Chile, without a monthly fee and compound interest on that fee, and then collections out to fuck you. It means employers can look at their employees accounts during negotiations, brute force those four digits, and everything's unsafe, nah...it's basically due to the disgrace of Chilean education, just got plundered to pay for the expensive torture/rape apparatus, and to keep the poor and middle-class Chileans down. And secondly, to cut down on call center costs, that's why even Banco BICE, a really hot shit bank, has an embarrassingly low maximum limit on password length. I told an Indian about it, a IIT graduate, about this maximum he said "minimum. 8 character minimum." I corrected him, "no, maximum. I made it as long as I could."
This appears to be good however recent events showing the deconstruction of prior precedents and other policies not directly implemented by laws raise a tangible concern.
It would not be surprising if some bored prosecutor with a grudge attempts to throw this out the window. In addition litigation by private-companies using the same laws could attempt to win by the virtue of having better funding and/or lawyers than the defendant.
True, unless the person with the insecure internet service has lots of money or power. Then it doesn't matter. Rock the boat, even legally, and you get a not so friendly 6am visit from the FBI and they steal all your possessions, all your flatemate's posessions, and ruin your life despite no laws being broken or even an indictment.
Only to return the stolen goods 10 years later by shipping them unprotected in cardboard boxes so badly packaged they arrive with parts sliding around freely and a video card sticking, literally, out the side of the cardboard box where it punched though.
Basically, don't believe the Justice Dept. They're a bunch of lying assholes. And the FBI is made up of crooks.
"Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges."
There was a period of time during which it was believed (maybe accurately) that you could make a viable CFAA case out of a ToS violation. But that was more or less put to rest by the DC Circuit (and I think the Ninth Circuit before that) a couple years back.
This is good and bad at the same time. It's like having a law that says that the police can shoot anyone at will, and then announcing that since people were concerned that the police would shoot someone going to the grocery store, all police are ordered to not do that.
It's better than shooting people for going to the grocery store, but the real problem is the law.
What's actually happened is that the government interprets the CFAA so broadly that it's easily abused, people have been pointing this out in court, and the government response is to keep the broad interpretation but announce they won't enforce those specific abusive examples. What they should do is admit that their interpretation is too broad; this is smoke and mirrors to avoid doing so.
The US government isn't unitary. The executive branch controls enforcement policy, the judicial branch controls interpretation, and those can disagree. Your “they” refers to separate institutions that do not have control over each other.
He's implicitly saying that the legislative branch is failing here, so yeah, it's bad overall. Plus the executive branch does have significant control over legislation, and it's also bad that they're not trying to fix the law.
Overall, this individual move by the justice department is good, but it's bad that more isn't being done.
The law isn't crazy as written; it's crazy as misinterpreted. Van Buren v. United States is the Supreme Court case that tossed out most of the batshit crazy interpretations. Today, MIT wouldn't be able to Schwartz people as easily as it did in years past.
(And yes, MIT kept threatening folks like whistleblowers under the CFAA to get them to sign NDAs long after Schwartz; to Schwartz someone was a verb around MIT)
> This is good and bad at the same time. It's like having a law that says that the police can shoot anyone at will, and then announcing that since people were concerned that the police would shoot someone going to the grocery store, all police are ordered to not do that.
I'm not sure you intended for this to sound really grim, but it does, since this is the de facto law in the United States right now.
> What they should do is admit that their interpretation is too broad; this is smoke and mirrors to avoid doing so.
It seems to me that these guidelines are their admission that previous interpretations had been too broad. I'm curious what you would otherwise expect to see (like, actually just curious; hopefully that doesn't sound confrontational).
In this context, it's the DOJ chain of command. This sort of memorandum isn't something that will impact a person's day in court directly should they be prosecuted; it indicates to prosecutors what the Executive branch would consider a "career-limiting move" to waste public resources prosecuting.
Compare with the Obama-era guidance about federal drug law enforcement in states that had decriminalized marijuana. Technically, marijuana never stopped being a (federal) controlled substance, and every state grow operation and distribution center is in violation of federal law. Obama made clear that enforcing that law in those states would be a great way to send a strong signal to one's boss "I'm comfortable at my current level of achievement and feel no need to ever be promoted in the future," and that policy basically hasn't changed in the intervening two administrations. But the federal law is unchanged on the matter.
Fully disagree. I can think of many situations where you talk your way out of charges. One is a traffic ticket. Another is a domestic dispute where someone is making false accusations about you that are easily disproven.
"good faith" is determined by how much money and power the internet service being audited has. If they're rich or powerful corporation or celebrity then it's in bad faith. If it's some mom and pop webstore then it's in good faith. The FBI are just hired goons for the powerful.
> The new policy states explicitly the longstanding practice [...]
Someone is inevitably going to bring up Aaron Swartz as the poster child for overzealous federal prosecution. To head that off at the pass:
- Swartz persisted in his downloading of JSTOR documents despite knowing that he was causing what amounted to a denial of service attack. He significantly impacted researcher around the globe, for weeks. The impact of this on the scientific community is not understood by most armchair Swartz defenders; publication and grant deadlines, for example, do not wait for "I can't get access to the papers I need on JSTOR." He even set out to speed up the rate at which he was downloading articles by deploying more equipment on MIT's network.
- JSTOR is a non-profit organization that exists for the sole purpose of archiving, cataloging, and providing low cost access to journals for small organizations. It's a bit like protesting high food prices and half-a-trillion-dollar farm bills...by repeatedly chaining shut the doors of the local co-op grocery store because they "enable the system" (or something.)
- Swartz had gotten in trouble for pulling this sort of stunt with PACER (which was far more deserving; the federal court system is mandated to provide the service at cost but has been inflating fees at an astronomical rate, essentially treating it as a for-profit business piggy bank.) The FBI and federal prosecutors pulled him in for a meeting and said "tread very, very carefully, son." What did he do? Ran along and did the same thing with JSTOR.
- Swartz was initially indicted by a grand jury. Common folks, not devil-horned federal prosecutors, thought there was a case.
It is often reported/claimed that Swartz was "going" to jail for X decades or "facing" X decades of jail time
- The case never went to trial and it is unlikely he would have been convicted of all charges (though it is almost certain he would have been convicted of at least some of the charges; he left a preponderance of evidence.)
- The claim of X years is based off combining maximum sentencing guidelines for all the charges, which is never the result for white collar criminal convictions.
And last but not least: prosecutors spent a year and a half negotiating a plea deal - down to a few months in Club Fed. He then refused the deal, in a way that made it look very much like he'd purposefully yanked prosecutor's chains while trying to win his case in the court of public opinion.
He rejected the deal over the advice of legal team I'd classify as "better than the best money can buy", friends (including people like Lawrence Lessig), his family, his partner, etc. Swartz was happy to knowingly do the crime and wanted the glory and cred for it, but his ego could not stand the possibility of "the time".
It's true that grand juries indict most cases brought before them - the standard is lower than at a trial and you don't get to put on a defense - but I don't think it's fair to characterize them as rubber stamps as they do occasionally refuse to indict, and by definition we never know about all the potential cases that could have been brought but weren't because the prosecutor didn't think a grand jury would go for it. It's not a cure all for abuse, but it does mostly ensure charges pass a basic sniff test from a neutral 3rd party.
I followed the case a little but don't remember any suggestions that he was singularly performing a DoS attack from the closet at MIT. Could you cite a contemporaneous source for that?
Also, it's interesting to consider the massive benefit to scientific communities that Sci-Hub has brought. And how the trend since Swartz has been to ever increasing open access and to cut out the rent seekers.
It seems like Swartz helped to light a path that, in general, scientific communities have followed.
Liberating scientific knowledge, verses those who would rather lock that knowledge up and charge rent to use it ... which side are the criminals.
His methodology was far from perfect, but you paint the liberation of scientific knowledge as if it were the crime of the century. I guess you think Sci-Hub is the devil's chariot?
> The policy for the first time directs that good-faith security research should not be charged.
> Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.
> However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith.
What exactly does this policy change even mean? Who was being charged with a federal crime for checking a sports score or paying a bill at work? And since the claim to be conducting security research is not a "free pass" for unauthorized research, I'd really like to know who exactly was being charged under the old policy that is protected by the new?
This "change" just seems like a bunch of pointless grandstanding.
How, exactly, when you qualify it with, "However, the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith."?
Seems the rando researcher is subject to the same liabilities as before.
I think that line is just there to state the obvious that you can't say "security researcher" and get off free... your actions determine if you are acting as a researcher, not just a claim.
"discovering vulnerabilities in devices in order to extort their owners, even if claimed as “research,” is not in good faith."
If I had just discovered a vulnerability, and didn't have a written contract authorizing me to do the research, I wouldn't feel the least bit of additional protection from this policy change, and would probably refrain from extorting the owner.
Edit: I had read "extorting" as "extolling" and associated with notification, not extortion. (I even typed "extorting" in this response.) I stand corrected, as extortion changes the tone of the qualification.
I went down a small rabbit hole after reading this, curious if it would have saved Aaron Swartz's life.
It seems the lynchpin of the prosecution of Aaron Swartz was that the CFAA criminalizes the breaking of a Terms of Service agreement (ie. it is a felony to break a terms of service).
They've attempted to address this with "Aaron's law" but it is stalled in committee - people have blamed Oracle for lobbying it to be blocked.
So.. this is a nice move from the DoJ, but not enough. Patching up a bad law with a policy to protect good faith security researchers is good, but it's still a bad law.
Swartz wasn't doing security research, and was charged with wire fraud, not just unauthorized use under CFAA. This wouldn't have helped him.
He'd also likely have been undone by the provisos attached to "exceeding unauthorized access"; the red line the new policy draws is that once DOJ can demonstrate that someone knowingly exceeded their access, they're fair game, even if the conditions they violated were spelled out only in a contract or terms of use.
> that division is established in a computational sense, that is, through computer code or configuration, rather than through contracts, terms of service agreements, or employee policies
and later
> A CFAA prosecution
may not be brought on the theory that a defendant exceeds authorized access solely by violating
an access restriction contained in a contractual agreement or term of service with an Internet
service provider or web service available to the general public
and
> the Department will not
take the position that a mere contractual violation caused the user’s previous authorization to be
automatically withdrawn
However, any previous authorization is withdrawn if you receive something that you should understand as a C&D.
It seems to me that this new policy says that to reach the threshold for CFAA prosecution you must now do more than "just" violate the terms of service. Am I misreading?
The layman's definition doesn't matter in the least. What matters are the jury instructions, which you can look up. The court system does not in fact leave it up to whatever definitions of a crime happen to be bouncing around in the jury's heads; the conditions required to find someone guilty of a crime tend to be spelled out in great detail.
Jury instructions which are sure to include a version of "the wire fraud statute is defined as x, for those of you who are not attorneys, think of this as {{ Insert layman's definition here }}."
Rephrasing would help the jury understand how to evaluate Aaron's actions and determine whether or not they meet the standard.
I may be missing something about what transpired that causes me to think that it does not apply, but you can be sure that the jury will have heard evidence from the prosecution which lays out why they believe it is relevant in this particular case.
They’re not what I would call a “layman’s definition”. When you’re on a trial like this, you’ll probably get a printed out version of these instructions to read over and over while deliberating. And the lawyers on each side will try to contextualize their arguments against this exact language (as long as the judge doesn’t think they’re being misleading or breaking other rules).
You may not come into the trial as an expert on wire fraud, but the court will give you the background info you need, and you’re expected to make a judgement based on the law.
It wouldn't have made a difference. People tend to forget just how much effort Swartz put into repeatedly evading MIT's attempts to kick him off their network. That's not the kind of situation this policy change is trying to address.
Heck, from the description of "Aaron's law" on Senator Wyden's site I'm not sure that would have made a difference either. It probably would have at most reduced some of the redundant charging, but since the redundant charging doesn't actually add to the sentence if convicted it would not really have affected the ultimate outcome much.
There's a good summary of the long cat and mouse game to try to kick him off the network, and an analysis of the various charges against him and how likely they were to stick here [1].
One the one hand, you're absolutely right. Anyone who kills themselves clearly had some sort of mental health issue. But on the other hand, he grew up in a wealthy family and briefly attended Stanford -- he had access to some of the best health care in the world already.
So I'm not sure better mental healthcare would have helped. Probably more along the lines of destigmatizing mental healthcare might have helped, which is a much harder problem to solve, but also something that thankfully Millennials/Gen Z are doing on their own. It's no longer taboo to mention that you're in therapy.
Hypotheticals like this are difficult to answer seriously. Still, if I had to guess, I suspect he would have been prosecuted nonetheless because he wasn't a good faith security researcher.
Feels weird that a law can apply to too much & be damaging to society to such a degree that the judicial arm of government just agrees it'd be awful to enforce the law & declares that they dont intend to.
It is often not possible or desirable to have laws that are so complete and exhaustive that they require 0 interpretation. Laws, like most thing, are designed to try to balance flexibility and clarity where necessary. Otherwise, they are mostly worthless, or become worthless very quickly.
(and no, you can't just make them super explicit and constantly update them, it's completely intractable)
As a result, pieces of government offering guidance/manuals for their enforcement is very common.
This is true both criminally and civilly.
For example, the USPTO maintains the "manual of patent examining procedure" that somewhat exhaustively interprets patent law.
SCOTUS already shrunk the scope of some laws (I think it was the CFAA) where they disagreed that simply violating a local policy about computer usage === CFAA.
I think this is a slow but natural process to narrowing it down.
Note this is the executive branch not the judicial. Sadly laws are so hard to legislate now this is how fixes are often being done - piece meal, weakly, and subject to random changes by political whim.
I don't care about the specifics, I don't care that the revision will certainly have some flaws. But it matters that anyone bothered to push for the security angels. This makes for a healthier security landscape. For more honest penetration tests. For adding more volunteers to the good side. Really, how did this even pass the usual hurdles to progress???
Not only that, but as merely a change in policy, as opposed to a change in the actual law, it's more or less alterable on a whim. A new administration, or even this administration could reverse this at the drop of a hat. So it's not exactly something to rely on to any tremendous degree.
Sounds like a good way to get your cheeks clapped by the Feds. Only believe it if it had the weight of law for something like this. No way would a person want to wing it with a DoJ "promise". Lol. C'mon man.
-make it clear who is not authorized to access your system.
-make it clear where out of bounds begins despite authorization.
-make it clear that when not explicitly authorized, any scanning, sniffing, spoofing etc. ; will be considered preparation for an attack; good faith cant exist unless you are explicitly authorized to probe the system.
"The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails"
This doesn't work. You are basically suggesting no one 'non-authorized' can find serious vulnerabilities. We save all of those for bad actors who are already outside the law.
im not only suggesting that, i enforce it. if your not invited to contact my system stay away from it, im the one looking for vulnerabilities, if someone thinks they can do a better job they can email me and ask for permission, exchange notes etc.
if an unauthorized, unrecognized contact starts snooping around my edge, they will be put on the graylist.
Before I put any of my PII or payment data into any system, I'm going to be damn sure to do my due diligence and ensure that they are adhering to some basic security guidelines. As someone who has these skills, I feel obliged to perform audits on systems I use for the benefit of everyone else using the services as well.
I would hope an off-duty mechanic would let me know if it sounds like my car is about to explode. If I'm hanging out with a botanist in the woods, I'd expect that they would let me know if I'm about to eat poison plants. We need to look out for each other, because there sure as hell aren't proper incentives for companies to lock their shit down. Maybe your systems are great, but 90% of networks out there are dangerously insecure.
We seem to be on similar pages, i feel the same way about allowing something that looks like an attack, to persist and become, or obfusicate an actual attack. I want to be sure that entity is adhering to safety guidelines, and in my case doesnt get into trouble if my system is triggered to defend itself.
It would probably help the ~90% of networks if hardware and applications shipped out with secure configurations.
The policy, linked to the bottom of the press release you're commenting on, goes into depth about what "authorization" means, and, more importantly, what it does not mean.
Indeed, it means companies get a loophole for not paying for your bug bounty research because it wasn't done in "g00d f@ith" and is "3x70r710n":
"for the purpose of discovering security holes in devices,
machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith."
Companies' bug bounty programs are bound by their terms of service, not by this policy or the CFAA so I'm not sure what you are complaining about. Additionally companies are under no obligation to pay anyone for security research they did on their own (which is not to say that's a good policy) but they don't have to, and attempting to extort them into paying was crime before and it's still a crime.
The main people I would say this impacts is the people doing security research as a pure research pursuit, a hobby, otherwise as journalism or in the public interest.
Having a bug bounty system designed to maximize the work put into testing a system with minimum payout is my chief complaint. The new "policy" does nothing to help that.
You seem to confusing criminal federal law concerning unauthorized computer access with a civil federal law regulating the trade of software vulnerabilities, which is what you'd need to solve the "problem" you are complaining about.
Are you imagining that a security researcher trying to get money from a bug bounty program would be considered extortion? Unless said hypothetical researcher says "pay me or I sell the exploit to the highest bidder", I don't believe the situation you are worried about could exist.
Yes, by the plain language of the policy linked at the bottom of the press release. You only get in trouble if you tease a vulnerability and tell the target "I'm going to disclose publicly if you don't pay me".
Good luck on this. Might not stop you getting arrested and put into pretrial detention for years until you find the right prosecutor to dismiss the charges.
A policy isn't a change in the law. The statute needs to be changed to add an exemption for security research. Until that happens I'd be careful.
Seems pretty reasonable. There will be arguments over what exactly qualifies but it provides a clear guideline / reasons where someone at the DOJ can not charge someone with good reason.
It hopefully side steps some of the "what even is hacking / a security breach / dude just opened browser dev tools ..." type questions where they can look and say "He notified them of the issue, I don't think this was in bad faith." Now you're all out of those other weeds.
If anything hopefully this provides a good example to trickle down to other law enforcement agencies.