One of our many lawyers can relate to us how meaningful the complaint about the word count in the prosecution's brief is. Maybe it's a big deal; I have absolutely no clue about that point.
But the central argument to me in this piece is that the DOJ is simply criminalizing URL editing. That is to me a gross oversimplification of what's happened. The CFAA is constructed not to criminalize accidental or reckless unauthorized access, but instead using a "knowing" standard. The DOJ's argument in the Aurenheimer case is that the defendant was aware that he shouldn't have had access to information tied to ICC-IDs, just as he'd have been aware had he tried to loop through Social Security Numbers in some other application.
There are plenty of sane arguments (see Orin Kerr† for a good survey) that what Aurenheimer did shouldn't have constituted unauthorized access. I don't actually happen to agree with any of the ones I've heard, but, more importantly, I have a hard time believing that those arguments are so dispositive that they indicate malfeasance on the part of prosecutors.
To me, the central problem with the CFAA isn't that it's easy to trip. Rather, it's that the sentencing is totally out of whack, in two ways: (1) that CFAA reacts in a particularly noxious catalytic way with other criminal statutes to accelerate minor infractions into significant felonies, and (2) that sentences scale with "damages", which have the effect of creating sentences that scale with the number of iterations in a for(;;) loop, which is nonsensical.
The problem is not simply that once prosecuted, defendants face unjust sentences. It's worse: the oversentencing creates a perverse incentive for prosecutors, turning run-of-the-mill incidents into high-profile vanity cases that lock the DOJ into pointlessly aggressive prosecutions.
To me, it makes sense that what Aurenheimer did should have been illegal, but it makes no sense at all that he's serving a custodial sentence over it.
(I did read the whole article; I didn't find the user-agent and responsible disclosure points particularly compelling, but maybe you did; I'm happy to opine about them as well. It's my judgement, not the article's overt wording, that the argument revolves around URL editing.)
I think my thoughts on the CFAA have evolved. I agree it's not easy to trip. I agree sentences are the problem. But as far as I can tell, the US Sentencing Commission is full of crazy people. The Sentencing Guidelines are bizarre. And the whole process has caused judges to abdicate their good sense and anchor their sentences to this messed up document.
If we can't trust sentencing as a process, and I'm beginning to believe we can't, maybe sensible laws can nonetheless be ultimately unreasonable in context.
Oh, let me be clear: the law has to change. I just don't think the definition of "unauthorized access" needs to be so dramatically narrowed as Robert Graham does.
Where were you when the Sentencing Guidelines were proposed in 1987? When they became law on November 1, 1989? The guidelines at that time were all about throwing drug dealers into jail for extended periods, but because you weren't a drug dealer, so what? Now those same guidelines are being used against average computer users. Because they said nothing before, it's too late now. What was the quote from the German pastor Niemoller? "First they came for the Socialists..."
"Dissenting Justice Scalia believed the sentencing commission to be an unconstitutional delegation of legislative power by Congress to another agency because the guidelines established by the Sentencing Commission have the force of law: a judge who disregards them will be reversed. Scalia noted that the guidelines were 'heavily laden (or ought to be) with value judgments and policy assessments' rather than merely technical, Scalia also disputed the assertion by majority that the sentencing commission was in the judicial branch rather than the legislative saying the commission 'is not a court, does not exercise judicial power, and is not controlled by or accountable to members of the Judicial Branch.'"
My view, having read most of the prosecution's statement, as well has having chatted with weev about this, is that the system was open to the public.
Here's why. The prosecution details the steps Spitler took: downloading the iPad image, decrypting it, finding the url the system used (I'm guessing by running strings), and then spoofing an iPad browser request via the user agent string, and providing the userid to obtain an email address.
IANAL, but it seems that they are maybe trying to make the case that the user agent string was equivocal to a password, or that decrypting the image was the point of exceeding access. If decrypting the image was the issue, then I imagine this would be placed with all the other similar cases (DeCSS, etc), but it wouldn't constitute identity fraud. If the user agent string is seen as the password, then that is the weakest security system I've ever seen.
I haven't actually kept up with how AT&T apparently fixed it, but it seems that a rational response to this would be to make users authenticate with their own password BEFORE it spits out information like an email address. If you don someone's userid but have no password (or session id token, etc), I'd suggest that's impersonation, but not identity theft or fraud. If we're going to criminalize impersonation, I guess the Saturday Night Live cast needs to find a new career.
That said, I totally understand why weev contacted reporters and not AT&T. We're in an age where contacting large corporations about security fixes typically results in a gag order on the security researcher and no fix (hi Cisco). By contacting a reporter, he increased the chance that the story would get out and AT&T would fix the issue.
Finally, a lot of people have suggested that weev "deserved" to go to jail for other things he's done. I'm not denying he's a troll, and he has done some over the top things. However, it's not illegal to be a troll, and while one might say he should be in jail for other things he has done, he is currently in jail for this. IMHO, the punishment not only outweighs the crime, but in conjunction with the other abuses of CFAA prosecution we've seen lately (such as Aaron Swartz), I think it's time we stop allowing the government to use poster children like weev as punching bags for obvious career boosting agendas.
A security system's weakness does not grant permission to break it. That gets said every time we have this conversation, but I guess it needs to be said again.
When does accessing a system turn into breaking a security system? Let's say I am trying to access an Internet Explorer only website with Firefox, and it gives me an error. I change my user agent, and it lets me in. Did I just commit a crime?
According to the law, and what seems like common sense to me, when you know or should have known that you were accessing something you weren't meant to.
And who gets to define when you're "meant" to? The law we're talking about was written in 1986, before the web even existed. Haven't we already had this conversation with regards to Google (the debacle over the robots file) and other systems?
Finally, even if it is concluded that weev committed a crime, something with which I disagree, would you say it's ok to punish it by nearly 4 years in prison, denial to medical care, and solitary confinement for using email? All of those things have happened after he was indicted.
Same people who decide every other time the law calls for consideration of intent and mental state of defendants (which is a lot) -- the judge and jury.
And that gets back to what the authors of the article are talking about. The judge and jury have no idea what this long-haired, bearded internet troll actually did. So they accepted the prosecution's assertion of, "He's a witch!" and handed down a guilty verdict.
He accessed data belonging to other people that he should not have, and knew he should not have. (And then went on to make very unwise statements about his intentions of how to handle that data.)
That's all that really matters to the judge and jury. The technical aspects don't matter much to them.
Also: If ease of access to information means anyone can take it, do you mean to say the NSA should take whatever they want because people don't encrypt their data?
If that information is so valuable, then shouldn't some burden be placed on AT&T for negligence? If this had been health care records, AT&T would have been required to notify users and possibly pay a fine. Perhaps it makes sense to have similar laws in place to protect all data, as Europe does (see ECHR).
The point here is, if we want to nail weev to a cross, AT&T should be nailed up right next to him.
Some blame should surely be placed at AT&T's feet too, but IMO not as much. Going back to the door analogy, whoever leaves it carelessly unlocked will definitely get less sympathy (e.g. insurance may decline to cover the loss), but that does not mean they're anywhere as guilty as the thief who actually committed the burglary.
I don't think the door analogy entirely works here. Here's why:
For a typical burglary, person A leaves their door unlocked, and person B walks in. The items clearly belong to person A, and when person B takes them and walks out, theft has clearly occurred.
In this case, person A walks near person B's house, and sees that person B has laid the possessions of person C all over the sidewalk. Person A brings out their duplicator machine, creates mirror images of all person C's items, takes those mirror images, and walks away.
While there is a question of whether person A should have duplicated those items, person C is sitting across town clueless as to what's going on. There's also the question of whether person B should have left things all over the sidewalk, or should have placed the things behind the door.
If we begin comparing accessing a website to opening a door, that creates a lot of legal confusion. IANAL, but IIRC, the current legal understanding is that a computer on a network falls under the jurisdiction of the network. If that's the case, and we consider the Internet to be a public place, then a web server placed on the internet becomes public, unless there's a password on it. If, instead, we consider web servers to be like doors, where you need permission to access them, then anyone who spiders a website might be considered guilty of attempted breaking and entering. For another example, does it make more sense to allow allow smartphone apps to have full access to your phone by default, or should permission be granted for special capabilities? AFAIK, consent in this area is not very well defined.
In the traditional sense of theft, there is an object that I once had in my possession and it has now been taken from me. That doesn't really work so well with digital media where the supply issue goes away.
There's a lot more to this discussion, but I'm curious what the next response will be :)
I have a pretty good understanding of what he actually did, and when I think about the implication of immunizing every similar action by anyone on the Internet --- any vulnerability triggered by a preauth GET handler --- I have no trouble seeing why what he did was illegal. You can safely monkey around with other people's systems under that reading of the CFAA. But, once you find yourself getting private information about other users, you know something's wrong, and you need to stop right away. He didn't. Coming into that knowledge and then continuing to exploit the system is the crux of the prosecution's case here, not the nature of URLs.
But, again: I think this case didn't deserve to be prosecuted, and I think CFAA's sentencing should be revised to ensure that in the future prosecutors have no incentive to push pointless cases like it.
We aren't arguing about what he did. We are arguing about why he did it. Did you seriously just not read the entire conversation above the comment? The technical aspects of exactly what he did aren't important.
Add to that the multiple perverse incentives in every direction. Folks are discouraged to be curious, regardless of their intentions for harm. Meanwhile, the penalties for creating a system that fails to protect the most valuable details of customers is punished very lightly, if at all. Companies are only, in theory, obligated to disclose breaches that could reveal customer data if they learn of them. The easiest route for a company to take, is to take a lackadaisical approach to security and expend the bare minimum of effort on audits, with the hope that any breaches will be sophisticated enough to be imperceptible by them. We've seen this approach played out in the real world with lots of companies.
We should be thankful that braggarts and clowns like anonymous et al exist because they bring to light many breaches and weak security systems that would have been kept secret otherwise.
I didn't find the user-agent and responsible disclosure points particularly compelling
I think you may be right from a legal perspective but I find it troubling that the law is so structured. I think it's important that when dealing with a system that's designed to serve some information to the public, but not other information, it's critical that there be no ambiguity about what a given person is allowed to access.
I do not mean to say that all security mechanisms must be effective, else the issue of unauthorized access would be moot, but that no reasonable, technically adept person would think the security mechanism is not a security mechanism. In the case of a website or web service, a number of well-known industry-standard mechanisms exist, and it's reasonable to expect people to use them.
There are plenty of sane arguments, sure. Weev is clearly scum; It's possible that he was doing this entirely maliciously. That's not the argument that the prosecutors are making, though, nor have they established any of his actions were illegal beyond reasonable doubt.
But the central argument to me in this piece is that the DOJ is simply criminalizing URL editing. That is to me a gross oversimplification of what's happened. The CFAA is constructed not to criminalize accidental or reckless unauthorized access, but instead using a "knowing" standard. The DOJ's argument in the Aurenheimer case is that the defendant was aware that he shouldn't have had access to information tied to ICC-IDs, just as he'd have been aware had he tried to loop through Social Security Numbers in some other application.
There are plenty of sane arguments (see Orin Kerr† for a good survey) that what Aurenheimer did shouldn't have constituted unauthorized access. I don't actually happen to agree with any of the ones I've heard, but, more importantly, I have a hard time believing that those arguments are so dispositive that they indicate malfeasance on the part of prosecutors.
To me, the central problem with the CFAA isn't that it's easy to trip. Rather, it's that the sentencing is totally out of whack, in two ways: (1) that CFAA reacts in a particularly noxious catalytic way with other criminal statutes to accelerate minor infractions into significant felonies, and (2) that sentences scale with "damages", which have the effect of creating sentences that scale with the number of iterations in a for(;;) loop, which is nonsensical.
The problem is not simply that once prosecuted, defendants face unjust sentences. It's worse: the oversentencing creates a perverse incentive for prosecutors, turning run-of-the-mill incidents into high-profile vanity cases that lock the DOJ into pointlessly aggressive prosecutions.
To me, it makes sense that what Aurenheimer did should have been illegal, but it makes no sense at all that he's serving a custodial sentence over it.
(I did read the whole article; I didn't find the user-agent and responsible disclosure points particularly compelling, but maybe you did; I'm happy to opine about them as well. It's my judgement, not the article's overt wording, that the argument revolves around URL editing.)
† http://www.volokh.com/2013/01/28/more-thoughts-on-the-six-cf...