I didn't expect my encounter with Berin Szoka to be very productive, and it wasn't. I confronted him with a number of challenges because I really find it increasingly disturbing just how much the CATO-style Libertarians are embracing the copyleftist gang lawfare game. I'm trying to figure out what this is really about. Republicans in retreat desperate to find allies anywhere?
As I wrote, Szoka made an eloquent and very organized speech at Aaron Swartz's memorial service in Washington, DC, and survived heckling from the goons in the audience who you would definitely not want to run your society, with their notion of "freedom".
But just like lefty lawyers and hackers, although he is on the right, he was vague on what he really meant by CFAA reform. He cautioned -- properly -- about the need not to make victims martyrhood a substitute for the careful craftsmanship of legal work. But he himself hasn't done that careful craftsmanship yet -- and his reference in a tweet to two letters he participated about CFAA reform don't cut it and don't relate to Swartz's case specifically or generically.
Szoka, a well-known figure in the TechFreedom group in DC, has a highly-credentialled resume with substantive experience in this field.
But he and his colleagues have never written on this site about CFAA, at least I couldn't find it on their site search or through Google search -- the former particularly can be notoriously insufficient so point me to it if you see it.
Instead of justifying his claims about linking Swartz to CFAA, all Szoka could do was play the gamerz forum ad-hominem trick of heckling me over lack of credentials. Why, if I'm not a professor of law -- or more demandingly, if I haven't published a text book on crime -- I have no right to comment on this.
Balderdash. First of all, he admitted that he wasn't a CFAA expert --
but then, he felt enough of an expert to call for its reform in the coalition letters in 2011 and 2012, and apply
Swartz's case to it at the memorial service, proving that of course, people can comment on laws if they wish.
In a free society, you don't have to be one of the elite or credentialed personages to comment on legal reform; indeed, it's vital that ordinary people affected by laws get to speak out. All of us will be affected by a copyleftist authoritarian regime destroying choice on the Internet particularly when we get to web 3.0 and the "Internet of Things". When much of your personal property -- your car, your house, your purchases -- will be essentially under the control of ethics-free coders, how will you live unless private property, privacy and commerce are protected from collectivists?
Libertarians ought to understand this better than they do -- I've seen how the Internet of Things works for years in prototype in Second Life -- I'm not interested waiting to find out in the future how shocked people are by hackers crashing your car or stopping your pacemaker because they don't like your blog. I want them to worry more about this now.
Given the lack of commentary from Szolta on CFAA, but his invocation of Kerr whom he respected, I checked back again (I'd already read them several times and blogged about them) to Kerr's articles, although Szolta had to use the forums' fanboyz technique of snottily demanding if I had "actually read" them. Online culture is brutal -- he's absorbed his share of it. Yes I "actually read" something I discussed on the Interwebs, big fella.
Kerr calls CFAA overbroad and wants to reform it -- sure, I get that, I've spent my entire life calling this or that law or bill "overbroad" -- that's what activists do. The question is to determine overbroad *how* and *where*.
So a good place to look which of course I had seen back then before Szoka reposted its link on Twitter, the letter that the Center for Democracy and Technology, produced in 2011, long before the emotions and drama swirling around Aaron Swartz's death -- but interestingly, more than a year after his arrest on hacking charges. They don't even mention his case in this letter, not even generically!
This August 3, 2011 letter addresses something different about CFAA in the area of "authorization".
"The law can be read to encompass ot only the malicious hackers and identity thieves the law was intended to cover, but also users who have not engaged in any activity that can or should be considered a 'computer crime'".
I'm not at all inclined to entrust the CDT crowd with any common-sense notion of what *is* a crime, given their readiness to join the thuggish and hysterical anti-SOPA band-wagon, but let's look to see what they mean by "without" or "in excess of" authorization which they complain is not defined.
o employees of companies who accessed networks in violation of terms of use
o users of networks who made fake/anonymous accounts to access a serve
And these aren't hypotheticals, like the hysterical tech blog reports on this kind of case -- these CDT regulars cite real court cases, says the letter:
Three federal circuit courts have agreed that an employee who exceeds an employer's network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has bruoght criminal charges against a user of a social network who signed up under a pseudonym in volation of terms of service.
o breaking and entry into a physical closet -- it doesn't matter if the door is open, it's still trespassing, he was not an MIT student
o creation of a fake name and fake account to make unauthorized access to a university's network, not a social network; he was also not an employee
o violation of the TOS, if you will, of this university -- not employer or social network -- but for the purpose of downloading 4 million files, which is such a large-scale act that as the JSTOR email to colleagues indicated, it prompted calling the police
o use of a circumvention script for rapid downloading and spoofing MAC and IP addresses
o disguising face on a security camera
o running away from campus police
Unless Berin Szoka and Orin Kerr, like the hacker gangs, are blessing the use of circumvention scripts and physical obstruction for large-scale unauthorized rapid downloading contrary to the intents and rights of the owners of the network and the IP holder, they can't claim Swartz fits their concerns about the "overbroad" CFAA law.
Szoka tweeted me about concerns that he feels Kerr has legitimate concerns about the "trigger" for the CFAA and federal computer law -- that they are too loose and light, so that an employee who copies something at work and gives it to a friend (or say, a waitress who copies a receipt with an angry scrawl from an irate customer and posts it on Facebook?) is treated like a Chinese hacker stealing Pentagon secrets.
But that's not the Aaron Swartz case: he deliberately concealed his identity digitally and physically -- those latter acts are what make it more secret. Sanchez was found not to apply in his case when he planted a laptop on MIT's LAN, and he could not reasonably expect "privacy" on the hacking device he left in the closet (!). Says the letter:
The CFAA should focus on malicious hacking and identity theft and not on criminalizing any behaviour that happens to take place online in violations of service or an acceptable use policy.
But Swartz doesn't fit that sentence, and they know it; they didn't use him as an example in either 2011 or 2012 letters before his death. That's because his act was malicious (i.e. deliberate, with a purpose). It *was* hacking, because it is massive unauthorized use -- and for the purpose of rendering the entire system pointless. While this may not have been admissible to consider at trial, this was a deliberate and large-scale an act now committed for the third time in Swartz's career -- there was also his hacking and massive download from the Library of Congress to make the same propagandistic point about how "information wants to be free" and the hacking and massive downloading of PACER, for the same cause. It is very hard to look at the Library of Congress, PACER and MIT/JSTOR hacks, and pretend that this is just somebody violating a TOS and "taking too many books out of the library" or this isn't malicious hacking.
And that's not what MIT IT personnel said, either. They called the cops. For good reason.
The only place where we *might* concede these CDT folks are relevant to Swartz is when at the very end of their letter, in the sort of overbroad statement they don't like to see in laws, they say:
We are eager to assist the Committee in addressing problems in the existing statuory language and in ensuring that critical Justice Department resources are focused where they are most needed: on the malicious hackers and online criminals who invade others' computers and networks to steal sensitive information and undermine the privacy of those whose information is stolen.
They seem to concede that maliciously invading others' computers and networks is potentially a crime, but they want to restrict the criminal offense then only to "classified" i..e sensitive information.
The problem with trying to shoehorn Swartz's case into their definition then and certainly postfactum now after he is dead is that when 4 million files are taken this way, with digital and physical obstruction and obfuscation, it's not just for a term paper -- it's to break the system substantially (and the only thing that stopped him was getting caught). The $5000 damages threshold for CFAA could very well be met here. While JSTOR dropped its charges, had Swartz succeeded in copying ALL their files and releasing them on some "free knowledge" site, they'd have little business left to cover their costs and they'd be forced to close. Are we supposed to wait for that to happen first before we ever open a single prosecution? MIT continued because their system was breached seriously and significantly beyond the revised forms of CFAA that these professors and lawyers would like to see changed! Regardless of whatever Creative Commons founder Prof. Hal Abelson, a computer science teacher and not a lawyer, will find in his inquiry.
And then there is this question: if you let somebody steal 4 million files when they feel like it and breach your system, what's to stop them and their friends then gaining access to more and more, and people's private information? What's to stop more and more hackers, as Anonymous has done, from seizing and defacing the site and grabbing private information of both university and law-enforcement officials they don't like, and trying to harass them into silence by exposing their privacy online? Orin Kerr is very good at explaining why there is such a law and has to be such a law -- deterrence.
Zoe Loftren is working on corrections to what the copyleftist gang see as needed to CFAA called "Aaron's law". But even the activists admit that this law wouldn't have helped Aaron himself. Zoe Lofgren is performing an incredibly manipulative and populist move on behalf of Silicon Valley in her home state by "crowdsourcing" (*snort*) the writing of this bill on Redditt.
Lessig and others pretend that the term "access without authorization" isn't understandable in Swartz's case. But of course it is. He *had* legitimate authorization with his Harvard ID. *He did not use it*. Instead he make a fake account and hacked MIT's servers* and not just casually with a fake ID to use a social network or take a few papers, but to download 4 million files -- again and again, and secret from a wiring closet.
As for the spoofing of the MAC address, the script kiddies claim that this is already "not a crime" but it is construed as such and that's why they want to reinforce that it is "not a crime" in a revised CFAA. Yet the only way software companies and platform providers have to keep banned customers out -- customers found to be disseminating child pornography, malicious scripts, selling illegal drugs, gambling, harassing/bullying/defaming others, etc. is through the hash ban. The script kiddies know that -- they want maximum freedom for themselves which is why they try to decriminalize MAC spoofing or IP shifting. IP blocks aren't enough for a company to manage the user base because they dynamically change and people in one family or large apartment complexes, etc. could all be using the same static and/or dynamically changing IP address. The hash ban on the computer's make and such is the only other back-up they have. Otherwise they cannot enforce their TOS.
No matter what Zoe comes up with through her Reddit pals or favourite online friend Mike Masnick, it's likely to be watered down and will never satisfy them. And we already see indication of that with Micah Schaffer's article in Wired, "We Need to Think Beyond the Aaron in 'Aaron's Law'"
There's a tendency to forgive Swartz because he either didn't make personal gain or he was "working for a cause" which is the "knowledge commons" that Lessig has preached as his brand of online collectivism for years. Yet Lessig admits Swartz crosses a line, even as he won't concede that prosecutors drew that line and did their jobs correctly.
Schaffer is the kind to endlessly edge-case Mitnick and any other case he thinks cramps his style -- these people are not really serious about legal reform. Typical is the failure of Schaffer -- like the misleading headline of Declan McCullough on CNET -- to admit that this "report in Massachusetts Lawyers Weekly" which claimed that Swartz only faced problems when the federal prosecutors took over -- was written by a lawyer in the firm that had previously undertaken Swartz's defense -- it was self-serving.
Swartz got a proportional sentence offer: six months. A felony on his record would not compromise his career as none of his existing employers or colleagues would have fired him.
Constant nattering about how we have to "decriminalize" computer intrusion is meant to wear away any rule of law whatsoever, not create a fair regime for computer use.
EFF is laughable when they include in their CFAA reforms as a "principle" of law this gem: "If a computer user is allowed to access ifnormation, simply doing it in an innovative way must not be a crime". Overbroad much? Did anyone ever teach these people that bad cases make bad law?! Essentially they are saying, "if we find new and clever and cunning ways of completely stealing the store and making it impossible for you to do business at all, you have to find us 'innovative'". Why does no one ever call them on such arrant bullshit?!
And Swartz's case just doesn't fit. Szolta has not sufficiently grappled with this inconsistency in their writings and they will have to in the future to be credible. Most of all, by citing precedents not hysterical hypotheticals.
Shaffer's theory is that we can't have strict laws -- or indeed, even lenient application of strict laws which is what we really have -- because this "radicalizes and alienates" the next generation of "innovators". Nonsense. What has already emboldened and radicalized a new generation of hackers is a tendency to excuse destruction of computer systems and walled gardens as "innovation," even though it's only Google's self-interested business model to sell ads.
Poppycock. They are already radicalized, alienated, and crashing the Supreme Court and going for the water plant next, after they get done with vigilante justice in Steubenville that has not only humiliated the victim even more online by spreading movies and pictures of her far further than even the football team, but muddied the possibility of finding facts in the normal judicial process. None of these people are the slightest bit concerned about this or that clause in CFAA -- they're Anonymous. They aren't innovating; they are destroying.
Recent Comments