Hacker News new | ask | show | jobs
by CaptArmchair 1809 days ago
So, this is the first time I read about your case. I couldn't help but think of Aaron Swartz.

https://en.wikipedia.org/wiki/United_States_v._Swartz

Basically, he downloaded open access journals from an academic repository. But he did it by physically connecting a laptop to the MIT university network and hiding the device in a servicing space without authorization.

Downloading open access papers isn't an issue in and of itself. In fact, it's pointed out that Swartz wasn't prosecuted for theft or copyright violations. The charges mainly were founded on alleged fraud and breaking and entering.

https://crln.acrl.org/index.php/crlnews/article/view/8637/90...

The law applies in Aaron's case was the CFAA. The same law under which you faced scrutiny.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act https://www.law.cornell.edu/uscode/text/18/1030

Just like you, Aaron Swartz got into the sights of the Secret Service at the time. The difference between you and him is that Swartz was actually arrested, arraigned and finally indicted by a federal grand jury.

(The CFAA stipulates that the Secret Service has the authority to investigate you under 18 U.S.C. § 1030(d)(1) see: https://www.law.cornell.edu/uscode/text/18/1030)

> the case is clear

On the contrary.

The big criticism on the CFAA is that its application has spilled over into tort law and contract law. It's a law which defines computer and wire fraud in incredibly broad terms and phrases. This leads to criminal convictions within a civil law context. The CFAA creates a up a massive potential for being made liable for daily, unassuming actions - e.g. sharing a password - transforming a misdemeanor into a felony really fast depending on the context / circumstances.

As a result, the CFAA is an example of a law where the bar / standards for prosecution are determined / tested / evaluated on a per-case basis through the judicial process.

It's also why it's so hard to get clear cut answers from the EFF or your lawyers. Sure, there's precedent, but it remains unclear how things would have panned out in your specific case since it never went to court.

In Aaron's case, it was later pointed out that MIT didn't even actively seek federal prosecution:

https://www.wsj.com/articles/SB10001424127887324809004578637...

> why I needed consent

That's the thing. Strictly speaking: it's a choice, not an obligation. Laws and moral values or principles aren't preemptive. They don't stop you from doing something anyway. Their purpose is to create a formal framework of consequences that tie into your behavior.

Liability then is the probability you're going to be held accountable in a court of law.

(In the same vain: copyright doesn't stop you from actually copying protected works. It only has carries weight if it actually gets enforced. That is, the rights holders decides to seek damages, and/or the state seeks to prosecute you. And even then, you really only face hard consequences - fines, damages, jail time - if a court rules in the plaintiff's favor.)

The CFAA specifically explicitly mentions the condition "without authorization" a grand total of 10 times when it defines violations under 18 U.S.C. § 1030(a).

All in all, when you entered the store, went to a machine and installed that program, paying attention that you didn't have to agree to any terms of service, you very much entered that grey, murky, muddled area of broad interpretation of the CFAA, contract and tort law.

Not having that explicit consent or authorization creates a liability: if you were spotted or caught, you'd potentially face consequences per the legal framework and its interpretation in a court of law.

... and that's exactly what happened to you.

Probably someone at the Apple store caught onto what you were doing, made an internal report which found its way to Apple's legal team. Corporate legal compliance provides a playbook and one of those steps involves notifying law enforcement and, ultimately, the Secret Service.

Unlike Aaron Swartz, you were lucky in that the authorities felt that there wasn't enough grounds to make a case against you and press formal charges before federal court. From their perspective, that's a cost / benefit trade off: it's just not worth spending time and resources pursuing legal action if the outcome is already tenuous from the outset.

> a lot of people here in the comments seem to believe

There's a difference between legal truth and moral truth.

From the point of view of the legal framework, all you did was expose yourself to several legal liabilities. The legal framework itself doesn't hold any opinions whether that's smart or dumb. You were lucky that there were no serious consequences beyond a visit by the Secret Service.

The public, however, look at your actions through a moral lens. They see someone who willingly exposed themselves to such liability, and members of the public can/will hold and voice personal opinions about what happened.

While you never went to court, there's a consensus that your behavior did cross a moral line. Put more succinctly: "Who in their right mind would do a guerilla style installation of a desktop application on Macbooks in the Apple store and assume there's no potential for serious legal consequences?"

That's value attribution akin to "Why would you decide to run a red light in downtown Manhattan, in front of dozens of witnesses, law enforcement camera's,... and run the risk of getting caught?"

People on here feel like you made a bad judgement call regardless of who you are, or the project in and off itself. And that's even perfectly compatible with how they feel about the CFAA, Apple, the U.S. Secret Service and so on.
1 comments
kcimc 1809 days ago
Wow, incredible response! I appreciate you taking the time to respond :)

I am very familiar with Aaron's case. I think your analysis is correct: some people believe I made a bad judgement call, and the CFAA is broad enough that this created a liability, even though we cannot know whether it was legal. I think my frustration with most armchair-analysis (not including you, CaptArmchair) is that folks confuse their moral certainty (I "made a bad judgement call") with legal certainty ("this is the kind of thing the CFAA protects us from"). But the law is a lot more complicated.

For me the concern is exactly (d)(1). When the CFAA is overly broad, and the ability to investigate is granted to all "offenses", where does that leave us? Can Apple cry "CFAA!" at anything they don't like? In practice, there are some checks and balances: in this case, Judge Lois Bloom decided to sign the warrant; Judge Judith Philips refused to prosecute. Is this enough? To me, seeing the ways the CFAA has been abused in other cases, it's not so clear.

link
CaptArmchair 1808 days ago
> When the CFAA is overly broad, and the ability to investigate is granted to all "offenses", where does that leave us?

Good question. The "offenses" are defined in the (a), and here you see the scope of the problem. It's a terse summation that describes what amounts to an offense under the CFAA in very general terms, and therein lies the problem.

(a)(5) for instance is a catch-all:

"Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;"

Both "damage" as well as "protected" can be broadly interpreted. This leaves definitively asserting the interpretation of those terms in the hands of courts. And that's problematic.

> Can Apple cry "CFAA!" at anything they don't like?

Strictly speaking: Yes. Of course, Apple can only start civil cases under tort law and contract law. Equivalent to anyone, they can notify / inform law enforcement. It's the prerogative of the latter to decide on steps necessary.

Also strictly speaking, prosecution doesn't happen at the behest of an individual plaintiff (e.g. Apple) but at the behest of the state (hence why cases are named United States versus ...).

> In practice, there are some checks and balances: in this case, Judge Lois Bloom decided to sign the warrant; Judge Judith Philips refused to prosecute. Is this enough?

That's the question at heart. The legal branch of government, Congress, has voted and backed the CFAA into law. In doing so, it leaves the interpretations of the CFAA to the judicial branch of government.

How problematic an overly broad law applied to an extremely complex, and rapidly changing technological and societal context can be, is demonstrated by cases like yours and Aaron's.

Having law enforcement knocking on your door, or being outright arrested raise questions about the proportionality with which the state responds to a suspicion, and how that then ripples through and harms individual citizens.

However, the judicial system also allows room for re-interpretation and clarification of laws. Just last month, a case under the CFAA was ruled by SCOTUS curbing the scope of the CFAA: Van Buren vs. United States

> In a six-three decision, the US Supreme Court yesterday ruled in Van Buren v. United States that Federal prosecutors may not go after authorized individuals who access databases for unauthorized purposes under the 1986 Computer Fraud and Abuse Act (CFAA), Politico reports. The incident in question in Van Buren v. United States concerned an ex-officer caught searching a license plate database in return for a bribe.

> Though explaining the decision as a product of the law’s language, not its effects, Justice Barrett wrote in the majority ruling, “The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity" including “using a pseudonym on Facebook.” Justice Thomas in a dissenting opinion observed, “Much of the Federal Code criminalizes common activity," and “discomfort” with that fact “does not give us authority to alter statutes.”

> Technology and advocacy groups like the National Whistleblower Center had raised concerns that the standing interpretation of the law jeopardized free speech and security research in addition to criminalizing trivial terms of service violations. Organizations like the Federal Law Enforcement Officers Association, on the other hand, worry that narrowing the scope of the CFAA will limit prosecutors’ ability to tackle “insider threats.” A CNN Supreme Court analyst said the ruling will require Governments and companies “to be far more specific in their policies governing access to databases.”

https://thecyberwire.com/newsletters/policy-briefing/3/107

It just goes to show that the discussion about the language of the CFAA is also at loggerheads at the highest judicial court. However, here SCOTUS clearly signals to lower courts that the scope and interpretation of the CFAA actually does have limits.

Both sides do have a valid argument though. On the one hand, in it's current form, the vagueness of the CFAA causes issues when it comes to "freedom of press" rights e.g. investigative journalism, however the CFAA also protects your business as it gives law enforcement the authority to go after ransomware groups.

To my mind, for all its vagueness, the CFAA is a prime example of democracy in action as the innate vagueness is discussed in the public debate (media), as well as in courts (SCOTUS, courts, precedents,...) as well as in Congress. In that regard, I don't think there will ever be a gold standard everyone can and will agree on. It will be more of a continued debate that might yield subsequent rulings and amending bills in the future, as technology and society changes throughout the next decade(s). It's up to us to have that debate.

link
kcimc 1804 days ago
Just want to say thanks again for the great comment. I was following Van Buren, and it was a certainly vindication. I agree with you there is a push and pull. Here's hoping that debate & discussion that needs to happen plays out in a way that puts the people first, instead of expanding protections to the government and big corps.
link