There should also be a push for better use of discretion and 'common sense' from the US judiciary. Most (all?) laws are, by their nature, crude sticks that have to be wielded carefully.
I'm not sure that in this case, the law is 'wrong'. As has been outlined elsewhere, by a reasonable reading of the applicable law Aaron's actions were criminal and (in my opinion) the law itself, in spirit, is not unreasonable.
What is unreasonable in this case, appears to be the application of the law, and more generally, the cost in time and money that is required to mount an adequate defence.
It should never take two years and millions of dollars to have a case like this settled, one way or the other. It seems a basic violation of human rights that it could happen. This is the general problem that needs to be solved in the US.
To end with a favourite quote that feels timely:
"The fall of Empire, gentlemen, is a massive thing, however, and not easily fought. It is dictated by a rising bureaucracy, a receding initiative, a freezing of caste, a damming of curiosity - a hundred other factors. It has been going on, as I have said, for centuries, and it is too majestic and massive a movement to stop"
>What is unreasonable in this case, appears to be the application of the law
I don't think you can let the law off the hook for allowing unreasonable applications of itself. The idea of criminalizing "computer fraud" (i.e. breaking into Amazon's servers to have it mail you expensive products without paying or to steal credit card numbers) is not objectionable. But the breadth and vagueness of the existing law, and the obscene penalties, most certainly are objectionable and should be fixed.
I completely agree that something must also be done about the excessive cost of criminal defense as well.
The idea of criminalizing "computer fraud" (i.e. breaking into Amazon's servers to have it mail you expensive products without paying or to steal credit card numbers) is not objectionable.
What I don't understand is why we need a separate law against "computer fraud", when we already have laws against, well, fraud. In the scenario you describe, in a sane legal system, the person who broke into Amazon's servers would be prosecuted for fraud, period. The fact that the fraud was committed using computers would merely be one of the facts of the case, not a reason for an additional charge.
I agree with you. You kind of have to understand the history: The Computer Fraud and Abuse Act was passed in 1986. I don't know if you remember 1986 (I know I don't), but from what I understand from the history books, computers communicated at around 300 baud and even if you exclude the mandatory freon compressor, the amount of energy required to run a computer with processor power equivalent to the phone in your pocket would still have been measured in tons of coal per fortnight.
So in 1986 they passed a law because "computers are huge corporate things used primarily by banks and governments that cost big money and don't concern common people, so fraud on a computer should have really high penalties." That's why we have a special law for it.
As to whether we still need it to be a separate law from ordinary fraud... no, I don't think so.
I don't know if you remember 1986 (I know I don't), but from what I understand from the history books, computers communicated at around 300 baud and even if you exclude the mandatory freon compressor, the amount of energy required to run a computer with processor power equivalent to the phone in your pocket would still have been measured in tons of coal per fortnight.
I do remember 1986--I was in college then--and it wasn't that bad. (Though your description was very entertaining.) PCs with modems existed in the late 1970's--a friend's father had a Commodore PET at that time. Certainly by the mid-1980s, with the IBM PC and clones going strong and Apple having released several different lines including the original Macs, computers were no longer just "huge corporate things".
But those were simply hobbyist things like the Arduino or Raspberry Pi are today. I find it very hard to believe that anyone in congress reponsible for drafting the CFAA were considering anything other than corporate use of computers, just like it would be hard to imagine congress taking interest in the Arduino or Raspberry Pi today and passing legislation that impacts those and other hobbyist devices and platforms.
Huh? The IBM-PC and clones, and the Apple II, Lisa, and Mac, were certainly not "hobbyist" computers. They were used by businesses to do spreadsheets and accounting, by artists to do graphics, and by all kinds of people to do the same sorts of basic tasks we use computers for today. (I did so myself; I had a PC clone, and my college roommate had an Apple II, and they certainly weren't "hobbyist" computers; we used them for serious work.) Even if Congress was only considering "corporate use" of computers in 1986, which is arguable, PCs and Macs were already part of "corporate use".
If you want to say that Congress was too technically ignorant in 1986 to recognize that PCs and Macs counted as "real computers", that I would agree with. :-)
Maybe in 1956 computers were "huge corporate things," but by 1986 there was a global computer network for PCs that remains popular in some parts of the world to this very day:
In 1986 large computers were still "huge corporate things" which is almost certainly what Congress was targeting with the law rather than Fidonet (hence the trouble).
What I don't understand is why we need a separate law against "computer fraud", when we already have laws against, well, fraud.
Because when that law was written it wasn't obvious how to distinguish in law between authorized and unauthorized access. You might as well ask why there's a bunch of law specifically regarding real estate when we already have laws about property, or why the laws about murder are so complex when the basic idea is 'thou shalt not kill.'
As an analogy, consider the standard definition of burglary: 'Entry into a building illegally with intent to commit a crime.' Now legally, that means 4 or arguably 5 elements - entry, a building, illegality, intent, and a contemplated crime. These might seem like hair-splitting points, but they're important - not just for the immediate situation of whether someone is guilty or not guilty, but whether or not that makes them liable under a three-strikes law, perhaps years later, or deportable, or how it might affect their sentencing for a completely unrelated crime a decade later, or....
...I mean, have you looked laws on fraud? they're complicated! It's not obvious in many real-world situations, and it's even less obvious where computers are concerned. If I am operating a computer system, how much information do I have to give you as a user about what you are or are not allowed to do on my system? Where does my responsibility end and yours begin? I mean, many people can't even understand the distinction between copyright infringement and theft, and fraud is a lot more complicated than simple theft - and theft itself is more complex than most people realize. Lots and lots of legal situations arise because people have different opinions about what sort of behavior is acceptable.
I don't know if you remember a pre-internet work environment, but when I was going about in the early 90s promoting the use of email and FTP to skeptical corporate buyers, one of the most frequent questions I used to hear was 'who owns the internet?' It was quite difficult for the typical business person to conceive of how network traffic could be separated from ownership of the network infrastructure, or how any participant in a network like some kid with a modem could possibly stand on the same legal footing as the phone company or the post office.
> when that law was written it wasn't obvious how to distinguish in law between authorized and unauthorized access.
I think you have it backwards. Passing the special computer fraud law was what created the problem of not knowing how to distinguish between authorized and unauthorized access, because it made that illegal regardless of whether the "unauthorized access" (whatever that means) was actually in furtherance of any particular malicious act.
It really is a profoundly stupid law. Nobody seems to be able to tell specifically what it means, and any of the plausible readings make a felony out of plenty of things that ought not to be a felony. And even the cases where unauthorized access is in furtherance of something legitimately felonious, the actually malicious thing we want to prohibit will still have to be illegal on its own, since otherwise someone with authorized access could do it and we wouldn't be able to prosecute them.
Laws are complicated because you have to handle the edge cases. And there are (rarely) edge cases in some laws where adding "on a computer" can make a difference, but the way to deal with that is not to have a special computer law with disjoint elements and penalties, it's to make a minor adjustment to the existing non-computer law to take that into account.
Your utility function as a consumer is wholly different from someone else's utility function as a provider. You might as well ask why we have laws about wire fraud or mail fraud when 'it's all fraud.' I'm sorry, but you're assuming your conclusion as one of your premises and then making a circular argument.
>You might as well ask why we have laws about wire fraud or mail fraud when 'it's all fraud.'
It is all fraud. Wire fraud and mail fraud are different primarily because they occur at a distance and are often interstate, which invokes the need for federal involvement in what would otherwise be a state matter. But that's a federal vs. state thing, not a different kinds of fraud thing. A single federal statute against interstate fraud that had specific provisions for any relevant characteristics of different communications media would still be preferable to separate legislation for wire, mail and computer fraud which is either overlapping and therefore redundant or disjoint and therefore inconsistent.
All we're talking about is how to organize the body of legislation. You can have separate provisions that take into account necessary differences in different subcategories of specific crimes, but similar crimes should be grouped together under the same heading and treated similarly unless there are sound reasons for them to be treated differently.
That's what the Model Penal Code attempts to do, as the Uniform Commercial Code attempts to do for commercial relations. But different people have different ideas about what the model template should be, and the 57 varieties of US law reflect the different concerns of different people at the time those laws were made - in the case of the CFAA, owners of large expensive computer infrastructure.
I understand why we have different laws in different jurisdictions. That is something different, and it doesn't mean we should have overlapping, duplicative, inconsistent legislation within a single jurisdiction, e.g. at the federal level.
>in the case of the CFAA, owners of large expensive computer infrastructure.
Which is the problem. That was a long time ago, those were different people than we are today and things have changed. It is time to reconsider.
I thought this was a discussion about "In the Wake of Aaron Swartz's Death, Let's Fix Draconian Computer Crime Law"? I would certainly agree that to do that we should be appealing to the legislators rather than the prosecutors, but I'm not sure what all that has to do with what we were most recently discussing.
You think the issues are simple and that these specific laws about fraud are duplicative; my view is that they're not that simple and that factors like non-locality demand greater specificity. Although I don't think the CFAA is a very good piece of legislation, I completely disagree with your suggestion that's it's unnecessary.
I can think of umpteen ways to get out of a fraud charge by playing definitional games once computers are introduced. For example: 'sure, it said on the screen that pressing enter I was promising X to be true, and I hit Enter knowing X to be false. But you haven't shown that any human ever reviewed the transaction, and a computer system isn't a person; so it's meaningless to say that I deceived the computer, therefore no fraud took place.' bullshit, of course, but new legislation is often introduced precisely because defendants are acquitted thanks to such technicalities.
I'm glad you agree that the CFAA is problematic. I think we may to some extent be talking past each other.
What I am objecting to is legislation in the style of the CFAA. Notwithstanding the name, it is barely addressed to fraud at all. It concerns itself primarily with unauthorized access, arguably a component of certain types of fraud, but which is a completely ridiculous thing to legislate against. Because while it is probably safe to assume that unauthorized access is generally bad, the question of how bad is determined entirely by the specific facts of the case. If you access a computer (e.g. your family member's work laptop) "without authorization" in order to check your own email, that is on an entirely different planet from doing so in order to obtain military secrets in preparation for a terrorist attack. The entire world of possible criminal penalties lives between those extremes. So prohibiting what is quite plausibly the precursor to an entire legal code worth of different crimes is totally absurd because there is no sane way to assign proportional penalties to it -- if you assign penalties greater than those of the most trivial of offenses then you create a disproportional penalty for such offenses just because a computer was involved and even trivial offenses are, as a rule, unauthorized. In theory one might argue that unauthorized access should still be an offense with the lowest of maximum penalties, e.g. a $100 fine, but with penalties that low it just seems like a waste of effort to even bother with it. And it sounds like you may agree with some of that, though I'm not sure what possible value you think can be salvaged from it.
What you're talking about with electronic forms perhaps not matching up with 20th century fraud legislation is a completely different animal. I think as a general rule that is the sort of thing that judges are able to see through, but in specific cases where this has failed to occur it naturally makes sense for the legislature to update the statute.
I'm just still not clear why you believe it should be a separate statute rather than merely a collection of relatively minor updates to long-standing law. I don't see how setting up a fake physical storefront and then collecting layaway deposits before skipping town to the next state should require a distinct piece of legislation from doing the exact same thing with a website. Perhaps the language will have to be adjusted to make sure the new offenders fall into scope, but why should the penalties be different? Or (in broad strokes) the elements of the crime? Or the intent requirement? Why reinvent the wheel? If you reinvent the wheel you get untested catastrophes like "unauthorized access to a computer."
Because when that law was written it wasn't obvious how to distinguish in law between authorized and unauthorized access.
But that's not what the laws do. They make committing fraud with a computer a worse crime than committing fraud some other way; that's a completely separate issue from defining what constitutes unauthorized access.
> But the breadth and vagueness of the existing law...
My point is this: of necessity, most laws are broad and vague, and it relies on judges to build the necessary case law to interpret it.
The current law absolutely needs to be addressed, but 'computer law' will always be 10 steps behind the technology. The much bigger issue is the fundamentally flawed, inhumane and insanely expensive US justice system.
>My point is this: of necessity, most laws are broad and vague, and it relies on judges to build the necessary case law to interpret it.
I don't think that is a necessity at all. What it is is a trade off. Compare tax law with antitrust law. There is relatively little vagueness in tax law, which is why the statutes are so verbose (or vice versa). Antitrust is technically "statutory" in that Congress passed the Sherman and Clayton antitrust acts etc., but the statutes are very short and very broad and their meaning has been defined almost entirely by the courts.
Each has advantages and disadvantages, but going too far in either direction is disastrous. (Which is why both tax and antitrust are a huge mess.) And that's where we are with the CFAA. The statute doesn't designate any particular harm you have to be aiming to cause, it just says "access without authorization -> felony conviction" regardless of whether you stole anything or hurt anyone or intended anything malicious, etc. It encourages courts and juries to think in terms of whether you violated the letter of the statute rather than whether you did anything specifically objectionable, and assume that any such violation must be a terrible crime worthy of that level of penalty without requiring any evidence that the circumstances of the specific case justify that outcome.
I honestly think we could repeal it entirely without any negative consequences following, because the actually objectionable things that people can do after they access a computer without authorization would still be separately illegal.
>'computer law' will always be 10 steps behind the technology.
I'm not at all sure that this is true. Most "computer law" is redundant garbage: There are laws against fraud, espionage, copyright infringement, etc. Those laws don't inherently become obsolete just because you add "on a computer" to it. Perhaps they need to be adjusted in certain ways -- often as a result of economic changes brought about by technology -- but that is no excuse for having a duplicate set of expansive, poorly drafted laws with extraordinary penalties that aim to serve substantially the same purposes as those that have been time tested over hundreds of years.
> My point is this: of necessity, most laws are broad and vague, and it relies on judges to build the necessary case law to interpret it.
Not if you're living in Continental Europe, where case law doesn't exist, precedence rarely matters, and all law is statutory law.
German law had to be amended for certain cases of computer criminality, e.g. illegally obtaining access to data which was impossible before without breaking into a building and stealing physical documents, so it was usually covered by theft before; or destroying data, which was just destroying physical things before. There were also problems around faking access tokens which is a bit like faking a document (think passport), but really not the same thing.
But there is no special case for something like computer fraud, that's just covered by regular fraud.
Edit: I stand corrected, there's actually a law about computer fraud: http://dejure.org/gesetze/StGB/263a.html, though it's essentially a reference to the law about regular fraud. The difference is apparently that fraud is defined as tricking _somebody_, and computer fraud happens without tricking a human person (but rather a program).
Agreed, this is part of why we have judges! Besides, if you think law is a tortured convoluted process today- just wait until we try to write it to explicitly handle every possible corner case.
The reason our laws have held up fairly well thus far is because they are vague. For example, the "reasonable person" clauses. What is considered reasonable changes with time. Do you really want to have to re-write all the laws centered around "reasonable person" every couple decades?
Remember, the legal system is not a computer. It doesn't necessarily make sense to approach it like one. Many of us here are programmers, and sometimes it shows.
"Do you really want to have to re-write all the laws centered around "reasonable person" every couple decades?"
Yes, and in fact, I would like every law to expire no more than 10 years after it is passed. We have too many laws and too many ways to become a criminal; force politicians to spend their days renewing necessary laws and we'll curb our out-of-control legal system. Keep the legal system straightforward, so that nobody is confused about whether or not they are committing a crime. Eliminate plea bargaining. Reduce the power of prosecutors, and reduce the power of the police (let's start by reducing the power of their firearms -- we really don't need soldiers serving search-and-arrest warrants).
If this was such a great way of doing things, why don't we programmers (who of course have everything all figured out) already do this in our code? Have a harvester that regularly walks your VCS and deletes any function older than 1 year. Sound like fun?
Keep the legal system straightforward
Being explicit is not the way to achieve that. Explicit handling of corner cases is always confusing when there are many, even more so when you are speaking in legaleese. "Reasonable Person" codified explicitly would take pages and pages and pages. You think that would be more understandable to the layman than, "What a Reasonable Person would do"?
If Real Life and People could be so easily codified, heuristics would be a completely useless field.
Eliminate plea bargaining. Reduce the power of prosecutors, and reduce the power of the police
What does that have to do with this line of discussion?
Instead let's apply another software development concept to the law: regression tests. The current legal process is like deploying untested code to production (We aren't even sure if it will compile, but heck, ship it anyway! Got a campaign to run!).
"Have a harvester that regularly walks your VCS and deletes any function older than 1 year. Sound like fun?"
Periodically reviewing code to ensure it still does what it needs to do is not exactly unheard of, and neither is replacing old code with new code. It is how we keep our software up-to-date.
How about the flip side: how would you like to have no code ever erased -- how would you like to spend your time supporting code written 50 years ago side-by-side with code written yesterday? That is what our legal system is like right now: laws that made sense decades ago, laws that made no sense decades ago, laws that were passed this year, etc., all relevant and applicable today. The government cannot even count the number of laws on the books at this point.
"Explicit handling of corner cases"
How about not bothering with corner cases? Let people whose actions seem criminal but which do not meet the definition of any crime go free. Do we really need to prosecute every single person who does something we do not like?
Our justice system is supposed to favor innocence, not guilt. Yet we see the exact opposite happen with the "let's make sure we never have corner cases by being as broad as we can be" approach to law.
The point is for laws to have a clear boundary between innocence and guilty. Nobody should be unsure about whether or not they are breaking the law and we should not be relying on a handful of judges to make such determinations.
""Reasonable Person" codified explicitly would take pages and pages and pages."
Sounds like the real problem here is that we have laws based on what "reasonable people" do, which is a pretty conservative approach to law. Why should the law be concerned with "reasonable people" -- why shouldn't the law just clearly state which actions are illegal and which are not?
We seem to be pretty straightforward sometimes. We define BAC limits for DUI laws. Why not be straightforward about computer crime too? Why not be straightforward about all laws? You are right, most people cannot understand pages and pages of laws -- so what are we supposed to do with the current legal system? You walk down the street at the mercy of the policy, because in reality you have no idea which laws you might have broken or which laws you were expected to follow.
What would a reasonable person do? A reasonable person would get a job, climb the social ladder, and never complain about it. Reasonable people in the 19th century would not have complained about women not having the right to vote. Reasonable people in the 18th century would not have complained about the triangle trade or slavery in general. Reasonable people would not have rebelled against British rule, nor written the Magna Carta. Laws should not be based on what reasonable people would or would not do; laws should be based on ensuring that people can continue to enjoy their freedom.
"What does that have to do with this line of discussion?"
I suppose that last comment was only tangentially related. The combination of broad laws, powerful prosecutors, and plea bargaining are the reason America is the world leader in imprisonment. Most of our prisoners never received a trial, because they odds were so severely stacked against them that they just accepted the plea bargain on the advice of their lawyers (often overworked public defenders). This is not a theoretical problem, it is the reality of our justice system and of our society.
I think our disagreement boils down to one thing. You believe our legal system could be fairly and justly encapsulated in a document perhaps the size of a dime novel, if only people had the forethought to make laws the way programmers (that godly race) write programs.
Yes, I'm being a little bit snarky. I can't help it. Besides the part where the real world is infinitely more intricate than a computer, software projects routinely fall into exactly the sort of chaos you are saying a pragmatic "boolean" approach to law would avoid.
There's an effect whose name I cannot remember that people in tech fields are particularly prone to fall victim to, wherein an individual wildly underestimates the amount of difficulty and effort required to tackle fields which are not his own. I believe you are falling victim to this effect.
Is approaching our body of laws like a programmer necessarily a bad thing?
I'm being a bit tongue in cheek here, but to use your example - if only our body of laws were properly DRY, changing that precisely-defined 'reasonable person' would only require one tweak.
What necessity drives us to such laws? Perhaps the prison operator industry considers such laws to be a necessity, or maybe the police officers' unions, but in what way does our society need laws that are so broad that nobody knows whether or not they are actually following them?
How about we make laws as narrow as possible, just enough to cover heinous crimes, and let people live their lives? Nobody should be confused about whether or not they are following the law. Laws should be clear, and should not require years of education and decades of experience to understand. What would be wrong with that?
Are you worried that creepy people you do not like will not be arrested because they found a path through the law that allowed them to be creepy without being criminal? Why should that be worrisome? Such people are common in the financial world, and the rate of clinical psychopathy is higher amongst corporate executives than among the general population -- why do you think corporate bosses have teams of lawyers helping to guide them through business decisions? Why shouldn't ordinary people be able to say with certainty, "This action will not get me arrested?"
The problem with having laws as broad as we have now is that anyone who is different becomes a victim. The government does not just go around selecting random people to prosecute, despite having the legal power to do so. Instead, the government has a weapon that can be used to keep the population in line. Dare to speak up, dare to take a stand against those in power, and you become a target. It happens over and over again: whenever someone uses their skills in a way that does not fit the neat model of "get a job or start a business" they become a target, and the moment they try to take on the system or fix the problems we have, the hammer strikes and strikes hard.
There should also be a push for better use of discretion and 'common sense' from the US judiciary.
As a general matter (IOW I haven't analyzed the CFAA in this light) the judicary only has as much discretion as the legislature grants it. Populist legislators do not like the idea of an independent judiciary and frequently attempt to exclude legislative clauses from judicial review - which attempts often fail, but at considerably increased political cost to the judiciary. I'm personally biased, but it's worth considering that there are a lot more constitutional constraints on the executive and legislative branches than upon the judicial. 'Judicial activism' is the buffer on which many a judicial career has been halted, no matter how well-founded the decision it is applied to.
I'm not sure, at least in Swartz's case, you can fault the judiciary for not exercising it's ultimate discretion over punishment when no judge ever got to make that call.
>It should never take two years and millions of dollars to have a case like this settled, one way or the other. It seems a basic violation of human rights that it could happen. This is the general problem that needs to be solved in the US.
>There should also be a push for better use of discretion and 'common sense' from the US judiciary.
I cannot agree with your comments more. When people can't afford justice, justice may as well not exist. And there needs to be a better mechanism in place to thwart over zealous prosecutors from bullying defendants who are, almost by definition, weaker than the prosecution (as they are either less informed about the rules of the game, or have to pay through the nose for the services of someone who does.)
The idea of "law as program" vs "law as guideline" is certainly a dangerous one, and has become far too common lately. However, I don't think that we should rely on discretion too heavily. It should be the exception not the rule. Today it is the rule, and that means that for all intents and purposes it is de facto "the law", regardless of what's on the books. Which means takes away a lot of the checks and balances we have in place to keep the law reasonable and to ensure it works toward advancing liberty rather than fighting against it.
If there is a law that can possibly be unreasonably used to frighten someone, it needs to be clarified and explained and quantified and whatever else so that this kind of thing doesn't happen again. Needs to be given more thought before someone can use it in this manner at the very least
I wasn't aware of RECAP. Having searched for it I came across a page on the pacer site[1] where Pacer say if you use if for free you aren't allowed to use RECAP. I'd be interested to know whether it's legal for them to have a fee exemption for limited purposes that allows them to make prohibition on transfer of information that is (as I understand it) public domain.
Edit:
I've looked on www.recapthelaw.org and couldn't find any clarification on this.
Let's instead fix vast overcharging, with 5x-20x pleabargain:max sentence ratios. If something is bad enough to lock someone away for 20 years, 2 years shouldn't be an option just because they made the legal system cost less money. Plea bargains are coercive, undermining our rights to a trial by the jury of our peers, and are likely coercing false testimony/false corroboration of evidence against 3rd parties far more than they should
More trials for actual bad things, fewer arrests for just marginally bad things, and less prosecutorial discretion is what we need here. Computer crime having overly high penalties in most cases is merely a symptom of a general problem we should be solving for all law.
How about not having plea bargains? The odds are always stacked against the defendant in a plea bargain, and plea bargaining is the primary reason we have the world's largest prison population, as well as the only reason so many of those prisoners were never actually found guilty in a court of law.
This might be too extreme, but what about forcing the prosecution to put some skin in the game where it comes to predicting the eventual outcome of the case?
In civil matters parties have the option of making a "Calderbank Offer", in which they put forth a reasonable resolution for the dispute by mutual agreement. If the other side does not accept that offer, but does not get a better outcome than the offer made, they are punished with costs consequences (for tying up court resources, forcing the other party through expensive litigation etc).
In a criminal trial, perhaps the prosecution should be required to go on record stating the sentence they will be asking the court for. In the event that the actual sentence varies significantly from the sentence threatened by the prosecution, a discounting procedure could be applied (for every 10% the prosecutor overstates the likely sentence, the accused receives a 5% reduction in their sentence).
ie. if a prosecutor proposes a 4 month custodial sentence for accessing academic journal articles, and a judge imposes 2 months, the accused would be entitled to a 50% discount, and serve only 1 month. If the prosecutor proposes 35 years, the accused serves no time.
The CFAA is far too big a stick to trust with federal prosecutors. Aside from the case the EFF names, it was also used to threaten geohot [1] when he first released details on the PS3 jailbreak. Sony argued that geohotz's access to his own (!) PS3 constituted unauthorized access to a protected computer and this claim survived a preliminary motion to dismiss.
I think that the important part in the eternal debate about large vs small government is missed - the real problem is fuzzy government. The one with overly broad and ill defined powers and fuzzy laws. What we need is a precise government where the functions and powers granted to the executive branch are not allowed for discretion, interpretation and overzeal.
Unlike the rights of the constitution that are universal and eternal the laws describe the here and now - so every law should have its built in expiration trigger (10-20 years) - this will ensure that the congress will act to reauthorize it if they like it so much. And because of the limited time they will be forced to triage and some insanities will just expire.
There is always an other side. In general, I think you want fuzzy laws, as there are fairly universally agreed 'bad' things, though not a single person has a good definition of 'bad'. A computer 'crime' or 'fraud' can easily be understood by an informed jury, judge and prosecutor and be just beyond the very letter of the law. So long as our system is adversarial in nature, I don't think an occasional push against the fuzzy line is in poor form, as long as there is commensurate push back. And in general, in the long run, this is a more equitable and just system than one of algorithmic rules where technicalities truly do trump intent.
I've never liked this argument. "Fuzzy" always helps prosecutors (unless the defense can argue that it's so fuzzy it's unconstitutional, which is pretty hard), because the prosecutor gets to choose who goes to court in criminal cases of first impression. They find someone with insufficient resources to mount a vigorous defense who happens to be wildly unsympathetic and the judge and the jury will make the contortions necessary to put them in prison -- and then that precedent sets the stage for the next prosecution.
Make the law clear and some defendant will get off on a technicality, but only once, then you fix the loophole. Over time the law evolves to more accurately reflect congressional intent as they pass patches to fix bugs, instead of leaving it to the courts and the biases (like prosecutors choosing who to prosecute when they want a precedent) that come along with that.
And for this system to work (I support it, by the way), we need to remind judges and prosecutors that their discretion is key to making the system work appropriately. Which means holding them accountable for misuses of the system.
It's for this reason that, after significant wavering, I've supported the petition for the removal of Carmen Ortiz, despite strongly supporting her prosecution of other white collar crimes. She simply lacks appropriate discretion for the position, especially in light of JSTOR and MIT's not pursuing independent legal action.
I agree, if only because I've seen it tried, and because you're essentially having to write a computer program for the legal system to execute. It's hard enough to do this right for machines that will do essentially anything you ask of it the same way every time, I can barely imagine how disastrous this would end up in the hands of elected legislators.
In fact, the situation today is probably the opposite. With plea bargains, I believe conviction rates are as high as 99.5% (IIRC). Somehow I find it hard to believe that 99.5% of people charged with a crime in this country are actually guilty. That seems dangerously high. I know that many innocent people are let off when a case or charges are dismissed, but of all those that do go to trial, more than a mere half percent must be innocent.
"Fewer than 10 percent of the criminal cases brought by the
federal government each year are actually tried before
juries with all of the accompanying procedural safeguards
noted above. More than 90% of the criminal cases in America
are never tried, much less proven, to juries. The
overwhelming majority of individuals who are accused of
crime forgo their constitutional rights and plead guilty."[1]
From what I've read elsewhere, of the 10% or so that do go to trial, something like 9 times out of 10 the verdict is guilty. Given that a federal criminal trial takes $1.5 million to defend and that the prosecutor has all the weight and resources of the federal government behind then and the citizen has to rely on his own financial resources (which are likely to be frozen if they are well-heeled defendants), then that rate of conviction isn't surprising in the least. Federal criminal cases are totally asymmetric in favor of the federal government. As citizens, we always complain of well funded people prevailing in civil and criminal cases because of the money they have to defend themselves, but we ignore the well funded prosecution that US district attorneys have that allow them to consistently find people guilty who may not be.
Sunset provisions for regulations and programs is a long-time conservative policy plank. A Sunset law to force regulation review was actually part of the Contract With America, and the libertarian-conservative wing of Congress forced a sunset provision on the first Patriot Act.
It would help if defendants could speak more freely about their finances without provoking the ire of a judge. This places advocates for free information in a bind. If you need to mount an expensive legal defense because you applied the principle that information should be free and, in consequence, find yourself in legal trouble (I'm speaking generally to avoid argument on inessential points) do you
1. apply the principle that information wants to be free to yourself and expose your finances, possibly provoking a judge; or
2. selectively apply the principle and in your own special case, not disclose your finances, although information wants to be free.
Until there is reform in this direction, activists for the information-wants-to-be-free principle either have to reconsider, or else understand that their ability to fund their legal defense may be compromised as well the principle they acted upon.
Of course, a push for common sense and proportion from the judiciary might obviate this.
1. Personal information isn't the kind of information Swartz was attempting to liberate. It was publicly funded academic research behind paywalls. There is no principle of symmetry to appeal to. (If I am incorrect and the intent was that "information wants to be free," then symmetry holds: one cannot consistently be free with the information of others and prefer the exiguous disclosure of one's own.)
2. The government has systematically violated the laws it was accusing Swartz of violating many times over. (An inadmissible legal argument, I understand, but historically valid.)
3. His assets may have been frozen.
4. The disproportionate legal action against Swartz is an indication of the government's cyberspace vulnerability. It is also an indication of the imprecision of the law as it is written.
In general, the sentences for different crimes/offenses have blown out of proportion. Usually an outragous case of <mumble> goes around the media, and politicians respond by increasing the punishment. Or Lobbyists push for it.
The whole thing (and not just in the US, in most states I know of) would need a new assessment, and not just one section at a time, but some kind of unified assessment.
It's a bit like a huge, sprawling code base that has never seen a major refactoring, and is in dire need of one.
This happens all the time with weapons. For example, during the Bruce Lee craze a lot of states passed laws against nunchucks which are still on the books. It's a continuing pattern. Moral panic -> SOMETHING must be done -> useless, unhelpful laws get put on the books. The same sort of security theater that we see today with the TSA and whatnot.
Just like I couldn't take a hint from aaronsw and suggest the Progress Party due to cultural biases against Progressivism, anarcho-anything suffers the same.
Crypto-anarchism is fairly unique though in an important way. It does not require approval and the technologies that are created by self-described crypto-anarchists can (ideally) be used by anybody, not just those who are also interested in self-identifying as something so weird and fringey.
Hell, you can even create technologies that don't even need to be used by the general public for the general public to benefit from them. Firesheep is a fine example of such software; a few years ago most sites were wide open to that attack but after the release of an exploit with a slick interface and some effective publicity, most social networking sites tightened up their ship. Sure, it is questionable what good this really does against a government like the US, but people in other parts of the world surely benefit.
Your parents need never respect, understand, nor even hear of crypto-anarchy in order for it to have a positive effect on the world. It has the potential to do good without requiring ideological buy-in from the masses.
Not to be argumentative, but I don't think the problem is draconian computer crime law, as such. The problem here is a deeper one: the constitutional bias towards procedural rather than substantive guarantees. This bias is partly responsible for the constitution's longevity (and by extension, that of the Republic), but is also responsible for the exhaustive and attritional nature of common-law legal proceedings.
This is a huge problem in the criminal justice system in general, as well as in other areas of law. I prefer common law to civil law systems, but that's partly because I grew up in one. It's more flexible, but at the expense of much greater complexity and arguably much lower predictability.
Very, very briefly: Substantive is the what, procedural is the how. In Aaron Swartz's case the substantive argument is that copying academic journal articles shouldn't be a prosecutable crime in the first place, but at worst a civil tort. The procedural argument is that Swartz went about his activities in a demonstrably illegal fashion and was arrested pursuant to a properly issued warrant. Is the law stupid? Maybe, but that's what it says and we're just following it as written. Now in a civil law country (where legislative text >> precedent) you'll often enjoy all sorts of substantive protections that you wouldn't have in the US, but if you did break a law then you probably won't be able to argue your way out on technicalities like whether the police search was legal or you were read your rights correctly.
The constitution doesn't give you a whole lot of rights, but rather imposes a variety of limitations upon the government. If someone in government can find a hole in those limitations, then there isn't a whole lot you can do about it, at least in the short term. Look at the drug laws; Congress certainly seems to be within its rights to ban possession of certain substances, and there's no substantive right to say you have jurisdiction over what you put in your own body. Another famous legal example is the Dredd Scott case; the Supreme Court of the day said that a law law which gave a slave called Dredd Scott his freedom was an unconstitutional infringement of his owner's property rights (procedural argument). Now we consider the whole notion of people being property invalid (substantive) so even the most logically watertight contract in which someone agrees to be the property of someone else is void and unenforceable. Now, contrast the familiar language of the US constitution with things like the UN declaration of human rights, which imposes very few strictures on how governments go about governing, but has a great deal to say about how people should be treated and is much more like the Declaration of Independence than the Constitution (http://www.un.org/en/documents/udhr/index.shtml).
This is a complex philosophical issue at the heart of legal theory and hard to sketch out in only a few sentences. Think of the above as an impressionistic sketch rather than a systematic description.
Thanks. That reminds me of a German book on law that I read, that briefly sketched how German law went from procedural to rights and obligations (i.e. substantive, if I get it right).
Just to check my understanding: Roman law was mostly procedural, wasn't it?
> In the Wake of Aaron Swartz's Death, Let's Fix Draconian Computer Crime Law
I think this is an unfortunate attitude to have. When such an event happens, it's easy to become blinded by emotions - and makes it more difficult to make rational, reasonable decisions.
Let's think about this calmly, logically, and with a level-head. Let's not have the reputation of making decisions that are emotionally driven.
I have been thinking calmly and logically about the CFAA for years, starting with my last year of college. I have long held the opinion that the punishments handed down for computer crimes are entirely out of whack, and time and time again we have seen computer crime laws used to attack people who have not done anything most people would consider to be "wrong." Computer crime laws seem to be based on the idea that hackers are dark wizards whose powers are limitless if they are allowed to walk free. It is a symptom of a society that is vastly ignorant of the machines it relies on, coupled with a far-right ideology that says that the only reason anyone does anything is to advance their financial interests (e.g. that nobody would download files that a company makes millions selling access to unless their goal was to make millions).
In the early 90s, the government tried to prosecute hackers over the Bellsouth E911 document using computer crimes laws -- and they were laughed out of court when the defense revealed that the document was a less-detailed version of a technical document that could be purchased for less than $20. We are looking at the same situation with the prosecution of Aaron Swartz: ludicrously overstated charges and overzealous prosecutors whose knowledge of computers is on the level of a chimpanzee (not to mention their sense of justice). Laws like the CFAA create this situation by enabling the sort of behavior we saw from the prosecutors in this case.
Many people already feel this way. The addition of a little emotion can be the difference between doing something and letting it slide another day.
If these laws were not a core piece of the issues surrounding Aaron's suicide, I would be disgusted. As it is, saner laws would have pushed the prosecution to take a more reasonable stance, so if we can push for change, great.
Unfortunately, I don't think there is anything we can do to actually impact such change.
I think the problem is not the Law itself. The problem is that in order to protect yourself (even if you're not guilty) you have to spend ENORMOUS amount of money. From this perspective rich people have more access to the basic rights (in this case ability to defend themselves) rather than poor.
Connected people have a better ability, being rich does not guarantee you protection from Federal prosecutors. The Feds act with near impunity and only someone connected with the press or government officials really stand a chance against them.
A relatively unknown internet person, regardless of money, is an easy mark to them.
The issue I take with the case is the piling on by the prosecutors. There needs to be some limit to the number of charges one can apply and total time applied for cases where no life is lost. The current rules simply allow prosecutors to intimidate people into accepting punishment, even when those accused are not guilty of a crime; see the many false imprisonment stories around the net.
People cheer on these laws when applied to people they don't like, financial fraud cases are very similar and involve the same strategy, bury them in charges so they have to accept something.
You are fixing the wrong thing -- let's get the results of publicly funded academic research into the public domain. That, as a goal, offers a far greater good for humanity; the potential to save far more lives; and the greatest net benefit to us all.
I think solving the problem of injustice in the legal system is not the "wrong thing." Really? While, yes, publicly funded research may need to be fixed and put in the public domain; it's not as if people that would use that research to do further research (i.e. scientists) don't already have access, albeit encumbered, to "save the world." However, people are definitely being treated unjustly -- seems like a higher priority
I'm not sure that in this case, the law is 'wrong'. As has been outlined elsewhere, by a reasonable reading of the applicable law Aaron's actions were criminal and (in my opinion) the law itself, in spirit, is not unreasonable.
What is unreasonable in this case, appears to be the application of the law, and more generally, the cost in time and money that is required to mount an adequate defence.
It should never take two years and millions of dollars to have a case like this settled, one way or the other. It seems a basic violation of human rights that it could happen. This is the general problem that needs to be solved in the US.
To end with a favourite quote that feels timely:
"The fall of Empire, gentlemen, is a massive thing, however, and not easily fought. It is dictated by a rising bureaucracy, a receding initiative, a freezing of caste, a damming of curiosity - a hundred other factors. It has been going on, as I have said, for centuries, and it is too majestic and massive a movement to stop"
-- Isaac Asimov, Foundation, 1951.
Let's hope that's not entirely true.