Hacker News new | ask | show | jobs
by spinlocked 4895 days ago
Lofgren's proposal appears to address the EFFs main concerns:

https://www.eff.org/deeplinks/2013/01/aaron-swartz-fix-draco...

Legislating against what you term "prosecutorial misconduct" is far fetched. Can you imagine how you would word that legislation without hampering law enforcement efforts against the real bad guys? Do you really want that?

Having the law named after Aaron would be more than symbolic, it would be a perpetual reminder that overreach against programmers who in general want to make the world a better place can result in massive civil outcry, and to a large extent address your concerns too.
4 comments
tptacek 4895 days ago
Do I want a better sentencing system for computer fraud, so that it remains possible for companies to defend themselves without needing to spend hundreds of thousands of dollars every quarter finding every conceivable loophole an attacker might exploit, while not leading to a situation where simply using a computer turns a simple offense into a 6 year prison sentence?

Yes, that is what I want, and I don't think it's too much to ask for.

After I wrote the comment above, I worried that it would read as a contrarian barb at any attempt to move forward with better computer crime laws. I don't mean it that way, which is why I went back and pointed out that Lessig thinks it's "critically important". But I meant my first question as I wrote it: would Aaron's Law really have helped Aaron?

link
spinlocked 4895 days ago
Its too late for that. Look to the future instead. Will having Arron's Law in place, coupled with civil outcry and petitions we've seen , prevent the next Aaron from being over-zealously prosecuted?

I think the answer is: not entirely, but its a huge, practical step in that direction. This is one of those things that you celebrate, not dismiss cynically.

Think of an alternate reaction. Why not create a petition on the whitehouse to make this small step a reality instead of cynically dismissing it? Remember, your pessimism can influence a whole audience into inaction. Recent precedent suggests.

link
tptacek 4895 days ago
I'm not being cynical. The fact that Aaron's Law wouldn't have helped Aaron isn't a cynical point. I don't oppose the act at all. TOS violations shouldn't be felonies.

This is one of those ridiculous message board arguments where both parties agree, and the argument is actually not about the issues about about the metaissue of how people are posturing. Do you believe federal criminal sentencing is sensible or just? Here, I'll just speak for you: no you don't. We disagree on nothing. Let's move on.

link
spinlocked 4895 days ago
If you could kindly edit your top comment by requesting readers to contact their representatives to help get this passed, THEN i will move on. Till then I have a pretty low opinion of you.
link
coopdog 4895 days ago
Potentially. I think what got him is the argument that because he was authorised only in accordance with the terms of use, once he violated the terms of service he was now an unauthorised cracker (despite not actually cracking any system/software), and was going to go down under the CFAA.

I think the intent of the law is to remove the terms of use from determining whether or not the use is authorised. So since guests from any IP were authorised on MIT and JSTOR, despite the fact that he violated their terms of use, they then couldn't have hit him at all with the CFAA.

link
tptacek 4895 days ago
The problem I'm bringing up is that Kerr and Granick have both pointed out that TOS violations weren't the only problem, or even the most severe problem, facing Swartz's defense. His attempts to evade filtering had the added misfortune of setting him up to "appear guilty" at trial.
link
tedunangst 4895 days ago
Guests from any IP, except Aaron's IP. Until he got a new one. And then another.

Hypothetical Question: someone is accessing your network in an unauthorized way. How do you tell them? An IP is not a person, so how do you make your desire that they stop known? Block their IP? What if they come back with a new one?

link
ScottBurson 4895 days ago
Do you really think that any legal change would reduce the need for security auditing of apps? I'm afraid that seems awfully unlikely to me. Even if US-based attackers would be deterred, there are plenty of places in the world the Internet reaches but US jurisdiction doesn't.
link
tptacek 4895 days ago
I think the effort put into securing computers is an inevitable dead-weight loss. Laws against pollution don't make everyone stop polluting; some polluters will just find creative ways to conceal what they're doing. Definitely doesn't mean I think pollution should be legal.
link
dlitz 4894 days ago
Computer security, at least while attached to the Internet, doesn't work that way. When all it takes is one attacker anywhere in the world to write a worm that compromises everyone, everyone needs to secure their systems.

Some problems really are best solved using technical means. If we stop building systems that can be exploited by arbitrary outsiders (yes, this is possible, and probably not that expensive in the long run if we standardize a few good protocols), then we can should be able to reach a point where a certain baseline of security can just be taken for granted.

link
tptacek 4894 days ago
The idea that abusing people's computers to disable their businesses or gain access to confidential information should be legal because "that problem is best solved using technical means" is so hostile to my perspective that there's probably little chance of us learning anything from each other by debating it.
link
ScottBurson 4894 days ago
For the record, that was not my thrust. (Can't speak for dlitz.)

I was just surprised at your suggestion that better laws would reduce your workload at Matasano.

link
AnthonyMouse 4895 days ago
>Lofgren's proposal appears to address the EFFs main concerns

Does it? I don't see anything reducing the excessive penalties, just somewhat narrowing what qualifies for them.

Let me be clear, I think this bill is a good bill -- I don't see anything wrong with it except that it is incomplete. It solves only a small subset of the problems we need to solve here. Narrowing the definition of unauthorized access can only be a good thing, but I could reasonably argue that it is still too broad given the current penalties, and remains incredibly vague notwithstanding that this would explicitly exclude certain things. So either the penalties still need to come down significantly, or what qualifies needs to be further narrowed, or both. But it's a good first draft. A step in the right direction.

link
HistoryInAction 4895 days ago
The problem with prosecutorial discretion is that it allows prosecutors to drift down from the baseline sentencing (see: DACA re: DREAM Act) but also choose not to. In this case, the AUSA clearly decided that maximizing the sentence was the best way to get a plea bargain to increase his metrics of successful prosecutions.

The law is never going to be perfect, and our outcries do more to serve as a perpetual reminder (see: SOPA) against legal overreach than any law will be.

link
cookiecaper 4895 days ago
>Legislating against what you term "prosecutorial misconduct" is far fetched. Can you imagine how you would word that legislation without hampering law enforcement efforts against the real bad guys? Do you really want that?

Maybe it's less about "legislating against" the specific conduct, and more about oversight on incumbent prosecutors and ease of removal when someone proves themselves unworthy of the considerable power with which they've been trusted.

link