Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with.
Read the rest
Andrew “weev” Auernheimer is serving a 41-month sentence for visiting a publicly available webpage and revealing that AT&T had not secured its customers' sensitive financial information. Now, weev's lawyers are appealing, and in the opening day's arguments, Assistant US Attorney Glenn Moramarco admitted I don’t even understand what [Auernheimer actually did.]
" Then he compared it to blowing up a nuclear power-plant.
The CIA's Inspector General has asked the Justice Department to consider criminally charging CIA agents who spied on a senate committee that was engaged in writing a report that was highly critical of the CIA's use of torture. Senator Mark Udall, who sits on a CIA oversight committee and whose staff was spied on by the CIA alleges that the CIA surveilled overseeing senators and their staff with Obama's knowledge and consent.
In a recent hearing, Senator Ron Wyden asked the CIA director repeatedly whether the Computer Fraud and Abuse Act, America's major anti-hacking statute, applied to the CIA, and whether the CIA spied domestically. CIA director John Brennan replied "yes" and "no," respectively. If Udall's allegations are correct, this means that Brennan lied to Congress (in the second instance) and committed a felony (in the first instance).
The report that caused some CIA agents to spy on their bosses was about how the CIA was wasting time, getting nowhere and doing something illegal and cruel when it kidnapped terror suspects and tortured the shit out of them.
Read the rest
In Matot v. CH, et al, a middle school assistant principal named Adam Matot asked a court to find that two students who'd set up parody social media accounts mocking him had violated the Computer Fraud and Abuse Act, and when the court laughed that out the door, asked the court to find that the students had violated the RICO Act and were engaged in organized crime. Thankfully, the court understood that this was raw sewage disguised as legal theory [PDF] ("Congress did not intend to target the misguided attempts at retribution by juvenile middle school students against an assistant principal in enacting RICO.") and found for the kids. Here's some trenchant analysis from Venkat Balasubramani:
Read the rest
A large group of "security researchers, academics, and lawyers" have signed onto a letter to Congress demanding that lawmakers enact "Aaron's Law," which would reform the antiquated and terrible Computer Fraud and Abuse Act, which US prosecutors claim makes violating online terms of service into a felony punishable by imprisonment. This is the law that was used to persecute Aaron Swartz, who was accused of violating terms of service by automatically downloading academic articles, rather than accessing them one at a time. The federal prosecutor threatened Aaron with 35 years in prison.
Read the rest
Stephen Heymann is the assistant US attorney who made it his mission to see Aaron Swartz sent to prison for violating terms of service by downloading scientific papers with an automatic script, rather than individually, by hand. Heymann spent a lot of time working with MIT on this -- Aaron used MIT's network to allegedly violate the terms of service -- and in his efforts to get MIT to stay involved in the face of public criticism for their cooperation, he compared Aaron to a rapist who blames his victim. Aaron's lawyers have asked the DoJ to investigate Heymann for breaches of professional standards.
Read the rest
The Electronic Frontier Foundation's Legal Director Cindy Cohn writes in detail about the MIT report on its involvement in Aaron Swartz's prosecution. She criticizes MIT's claim to neutrality in the matter, showing the way that the university went to great, voluntary lengths to help the government prosecute Aaron, and eventually siding with the government in motions to keep the evidence that it turned over to the prosecutor admissable. Cohn shows that MIT's likeliest motivation for this was saving face. Ultimately, Cohn says, "MIT's actions in helping the government prosecute Aaron are shameful, and betray the institution’s commitment to technologists."
Update: Cohn wrote in to add, "The prosecution turned on whether Aaron's access to JSTOR via the MIT network was 'unauthorized' and MIT had tremendous power over which way that decision went in the case. The report acknowledges this but simply repeats MIT's assertion that it didn't actually realize it without criticism or noting how unreasonable (or not believable) this assertion is. The CFAA isn't unknown or unknowable and the folks handling this are in the General Counsel's office. 'Unauthorized access' is the statutory language. And of course MIT's belief that Aaron's access might be unauthorized (as in violation of MIT's policies or maybe JSTOR's) is why they called the police and why he was arrested at their instigation. The idea that after they called the cops they didn't understand what law might have been broken or why their network openness and policies mattered to that determination, such that they never even volunteered the information or asked the prosecution for its theory or more importantly gave information about this to the defense, just isn't believable."
Read the rest
EFF has retracted this post
The Electronic Frontier Foundation's Trevor Timm explains a disturbing and overlooked fact about the trial of Bradley Manning; the charge-sheet against him included two separate felonies under the Computer Fraud and Abuse Act, an ancient anti-hacking statute that has been used as a club to threaten security researchers and activists like Aaron Swartz. The CFAA makes it a separate offense to leak classified information using a computer, such that anyone caught doing so can be charged twice: first under the Espionage Act and again under the CFAA.
This gives tremendous and terrible leverage to prosecutors, who come to the negotiating table with double the ammo: "We'll drop the CFAA charges if you plead guilty to the Espionage Act charges" (or vice-versa). The reality is that there's nothing special about using a computer to leak documents -- indeed, these days you'd be hard pressed not to use a computer -- now that photocopiers, fax machines, phones, cameras and even the daily paper are all built out of computers.
Several Congresses have failed to modernize the CFAA, because the DoJ has forcefully argued that the ability to threaten people with decades in jail for simply using computers has given them the leverage to force "bad guys" to plead guilty, rather than getting a day in court.
Read the rest
MIT's report on its involvement in the prosecution of Aaron Swartz (PDF) has been published. The report does not apportion any blame to the university for Swartz's prosecution, stating the the university operated as a "neutral party."
Taren Stinebrickner-Kauffman, Aaron's partner, vigorously disputes the report's findings, calling it a whitewash, pointing out that MIT provided significant aid to the federal prosecutors who chased Aaron over downloading technical aritcles (which he was entitled to see) from its network, but refused to supply the same documents to the defense team, who desperately needed them. This makes MIT's claim of "neutrality" ring false.
Further, Larry Lessig has posted some preliminary thoughts on MIT's position, pointing out that it turned on a question of authorized or unauthorized access, and that the report says MIT never told the prosecutors that Aaron's access was "unauthorized," suggesting that the prosecutors knew they had no case.
Read the rest
"Aaron Swartz was not the first or the last victim of overzealous prosecution under the CFAA," write Democratic Representative from California Zoe Lofgren and Ron Wyden, a Democratic Senator from Oregon
. "That’s why we’re authoring bipartisan legislation — which, with the permission of Aaron Swartz’s family, we call 'Aaron’s Law' — in the House and Senate to begin the process of updating the CFAA." [Wired Opinion]
Read this if you want to stay out of jail.
When my friend Aaron Swartz committed suicide in January, he’d been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals.
Read the rest
Tim Wu's New Yorker piece on Aaron Swartz and the Computer Fraud and Abuse Act explains how Obama could, with one speech, fix the worst problem with the worst law in technology. The CFAA makes it a felony to "exceed your authorization" on a computer system, and fed prosecutors have taken the view that this means that if you violate terms of service, you're a felon, and they can put you in jail. As Wu points out, Obama doesn't need Congress to pass a law to fix this, he could just tell the DoJ that they should stop doing this. There's plenty of precedent, and it would be excellent policy.
When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over...
There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.
All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.
Fixing the Worst Law in Technology
magazine sez, "We've gotten such a strong response to this and wanted to make sure anyone who knew Aaron - or who simply knew OF him - got a chance to hear the hour-long tribute
from Wednesday's 'Off The Hook' radio program in New York, a show he was a guest on only a few months ago. We played an excerpt of that, along with part of an incredible interview with Aaron at age 14 that underlines what a remarkable person he was. We also delved into the issue of depression in our community with excerpts from the 'Geeks and Depression' panel at HOPE Number Nine, and we had a roundtable discussion on what we can do better and where people at risk can turn. It's part of a continuing conversation that we need to have in every conceivable forum.
Carmen Ortiz, the US Attorney who hounded Aaron Swartz, threatening him with 35 years in prison for downloading scholarly articles from MIT's open WiFi network, has released a statement explaining how harmless and pleasant she had been with Aaron. Mike Masnick just shreds the claims Ortiz makes in her release:
If Ortiz truly believed that his conduct did not warrant such "severe punishment" then she would not have trumpeted the 35 years in the first place, nor would she have piled on more charges. That would serve absolutely no purpose whatsoever if her claim here was true.
Furthermore, as Swartz's lawyers have made clear, Ortiz and her assistant, Stephen Heymann were pretty explicit to Swartz's lawyers that if he did not take their plea bargain offer, the next offer would be for more jail time, and if he still chose not to accept the offer, they'd seek at least seven years for Swartz in court. Tossing out that six month claim as if it were proof of some sort of fair dealing on Ortiz's part is flat out insulting to the intelligence of any thinking person, and downright offensive to the memory of Aaron.
How would Ortiz like it if her own child was accused on trumped up charges and threatened with 35 or more years in prison in press releases -- and then told to "settle" for just six months. I doubt she would find that to be "fair."
Carmen Ortiz Releases Totally Bogus Statement Concerning The Aaron Swartz Prosecution
Aaron Swartz killed himself two years to the day after he was charged with violating the Computer Fraud and Abuse Act, a controversial legislation that some courts have interpreted as making it a felony to do anything not explicitly authorized with a computer you don't own (for example, changing one character in a URL in your browser and accessing a document can be a felony). Many attempts have been made to reform CFAA, none successful. Now Rep Zoe Lofgren (D-CA) has introduced "Aaron's Law", to insert the following in its pre-amble:
A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.
Larry Lessig has endorsed the proposal, saying, "Hey, this is a CRITICALLY important change that would do incredible good. The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook. In a single line: no longer would it be a felony to breach a contract. Let's get this done for Aaron — now."
This is a great start. A great start. But it's only a start. Aaron's cause wasn't bringing justice to computer users, it was bringing justice to everyone. America is history's number one imprisoner, and its penal system is ghastly and inhumane. CFAA-based bullying is just a symptom, not the disease.
I'm Rep Zoe Lofgren & I'm introducing "Aaron's Law" to change the Computer Fraud and Abuse Act (CFAA) (lofgren.house.gov)