[HN Gopher] Department of Justice announces new policy for charg... ___________________________________________________________________ Department of Justice announces new policy for charging cases under the CFAA Author : JumpCrisscross Score : 292 points Date : 2022-05-19 15:27 UTC (7 hours ago) (HTM) web link (www.justice.gov) (TXT) w3m dump (www.justice.gov) | bragr wrote: | Maybe, if you have to have a huge policy about all the different | situations in which a law shouldn't apply, you have a bad law | that needs fixing. | rolph wrote: | -make it clear who is not authorized to access your system. | | -make it clear where out of bounds begins despite authorization. | | -make it clear that when not explicitly authorized, any scanning, | sniffing, spoofing etc. ; will be considered preparation for an | attack; good faith cant exist unless you are explicitly | authorized to probe the system. | | "The policy focuses the department's resources on cases where a | defendant is either not authorized at all to access a computer or | was authorized to access one part of a computer -- such as one | email account -- and, despite knowing about that restriction, | accessed a part of the computer to which his authorized access | did not extend, such as other users' emails" | gibolt wrote: | This doesn't work. You are basically suggesting no one 'non- | authorized' can find serious vulnerabilities. We save all of | those for bad actors who are already outside the law. | rolph wrote: | im not only suggesting that, i enforce it. if your not | invited to contact my system stay away from it, im the one | looking for vulnerabilities, if someone thinks they can do a | better job they can email me and ask for permission, exchange | notes etc. | | if an unauthorized, unrecognized contact starts snooping | around my edge, they will be put on the graylist. | WalterGR wrote: | "The policy for the first time directs that good-faith security | research should not be charged." | KennyBlanken wrote: | Which does not represent a change in action: | | > The new policy states explicitly the longstanding practice | [...] | | Someone is inevitably going to bring up Aaron Swartz as the | poster child for overzealous federal prosecution. To head that | off at the pass: | | - Swartz persisted in his downloading of JSTOR documents | despite knowing that he was causing what amounted to a denial | of service attack. He significantly impacted researcher around | the globe, for weeks. The impact of this on the scientific | community is not understood by most armchair Swartz defenders; | publication and grant deadlines, for example, do not wait for | "I can't get access to the papers I need on JSTOR." He even set | out to speed up the rate at which he was downloading articles | by deploying more equipment on MIT's network. | | - JSTOR is a non-profit organization that exists for the sole | purpose of archiving, cataloging, and providing _low cost | access_ to journals for small organizations. It 's a bit like | protesting high food prices and half-a-trillion-dollar farm | bills...by repeatedly chaining shut the doors of the local co- | op grocery store because they "enable the system" (or | something.) | | - Swartz had gotten in trouble for pulling this sort of stunt | with PACER (which was far more deserving; the federal court | system is mandated to provide the service at cost but has been | inflating fees at an astronomical rate, essentially treating it | as a for-profit business piggy bank.) The FBI and federal | prosecutors pulled him in for a meeting and said "tread very, | very carefully, son." What did he do? Ran along and did the | same thing with JSTOR. | | - Swartz was initially indicted by a grand jury. Common folks, | not devil-horned federal prosecutors, thought there was a case. | | It is often reported/claimed that Swartz was "going" to jail | for X decades or "facing" X decades of jail time | | - The case never went to trial and it is unlikely he would have | been convicted of all charges (though it is almost certain he | would have been convicted of at least some of the charges; he | left a preponderance of evidence.) | | - The claim of X years is based off combining maximum | sentencing guidelines for all the charges, which is _never_ the | result for white collar criminal convictions. | | And last but not least: prosecutors spent _a year and a half_ | negotiating a plea deal - down to _a few months_ in Club Fed. | He then refused the deal, in a way that made it look very much | like he 'd purposefully yanked prosecutor's chains while trying | to win his case in the court of public opinion. | | He rejected the deal over the advice of legal _team_ I 'd | classify as "better than the best money can buy", friends | (including people like Lawrence Lessig), his family, his | partner, etc. Swartz was happy to knowingly do the crime and | wanted the glory and cred for it, but his ego could not stand | the possibility of "the time". | tptacek wrote: | _Swartz was initially indicted by a grand jury. Common folks, | not devil-horned federal prosecutors, thought there was a | case._ | | Careful, here. Grand juries are mostly a pro-forma thing; in | all but the most egregious cases, they're going to rubber | stamp indictments. | bragr wrote: | It's true that grand juries indict most cases brought | before them - the standard is lower than at a trial and you | don't get to put on a defense - but I don't think it's fair | to characterize them as rubber stamps as they do | occasionally refuse to indict, and by definition we never | know about all the potential cases that could have been | brought but weren't because the prosecutor didn't think a | grand jury would go for it. It's not a cure all for abuse, | but it does mostly ensure charges pass a basic sniff test | from a neutral 3rd party. | mbg721 wrote: | How much of a grand jury's job is actually justice, as | opposed to being a way to avoid wasting the court's time? | robonerd wrote: | I believe the saying is a grand jury would indict a ham | sandwich. | pbhjpbhj wrote: | I followed the case a little but don't remember any | suggestions that he was singularly performing a DoS attack | from the closet at MIT. Could you cite a contemporaneous | source for that? | | Also, it's interesting to consider the massive benefit to | scientific communities that Sci-Hub has brought. And how the | trend since Swartz has been to ever increasing open access | and to cut out the rent seekers. | | It seems like Swartz helped to light a path that, in general, | scientific communities have followed. | | Liberating scientific knowledge, verses those who would | rather lock that knowledge up and charge rent to use it ... | which side are the criminals. | | His methodology was far from perfect, but you paint the | liberation of scientific knowledge as if it were the crime of | the century. I guess you think Sci-Hub is the devil's | chariot? | icodestuff wrote: | Policy is nice, but what's the statute of limitations? If the | next administration can decide to bring charges, this is no | protection. | bragr wrote: | CFAA is only 2 years so that's not a huge problem | icodestuff wrote: | For the next 8 months. | [deleted] | mc4ndr3 wrote: | Big and true. | | I don't care about the specifics, I don't care that the revision | will certainly have some flaws. But it matters that anyone | bothered to push for the security angels. This makes for a | healthier security landscape. For more honest penetration tests. | For adding more volunteers to the good side. Really, how did this | even pass the usual hurdles to progress??? | your_username wrote: | 1970-01-01 wrote: | This effectively changes nothing. Authorization is still in | quotes and remains subjective. | tptacek wrote: | The policy, linked to the bottom of the press release you're | commenting on, goes into depth about what "authorization" | means, and, more importantly, what it does not mean. | 1970-01-01 wrote: | Indeed, it means companies get a loophole for not paying for | your bug bounty research because it wasn't done in "g00d | f@ith" and is "3x70r710n": | | "for the purpose of discovering security holes in devices, | machines, or services in order to extort the owners of such | devices, machines, or services--might be called "research," | but is not in good faith." | burnished wrote: | Are you imagining that a security researcher trying to get | money from a bug bounty program would be considered | extortion? Unless said hypothetical researcher says "pay me | or I sell the exploit to the highest bidder", I don't | believe the situation you are worried about could exist. | bragr wrote: | Companies' bug bounty programs are bound by their terms of | service, not by this policy or the CFAA so I'm not sure | what you are complaining about. Additionally companies are | under no obligation to pay anyone for security research | they did on their own (which is not to say that's a good | policy) but they don't have to, and attempting to extort | them into paying was crime before and it's still a crime. | | The main people I would say this impacts is the people | doing security research as a pure research pursuit, a | hobby, otherwise as journalism or in the public interest. | 1970-01-01 wrote: | Having a bug bounty system designed to maximize the work | put into testing a system with minimum payout is my chief | complaint. The new "policy" does nothing to help that. | KerrAvon wrote: | No one is being compelled to do the work. Are you really | saying you want the government involved in setting rates? | 1970-01-01 wrote: | Rates would be going too far. I would like to see an | exception for non-payment for services rendered. | bragr wrote: | You seem to confusing criminal federal law concerning | unauthorized computer access with a civil federal law | regulating the trade of software vulnerabilities, which | is what you'd need to solve the "problem" you are | complaining about. | tptacek wrote: | Nobody needs a loophole to not pay for DMARC configuration | reports and logout CSRFs; they can just not pay. | duxup wrote: | >The policy for the first time directs that good-faith security | research should not be charged. Good faith security research | means accessing a computer solely for purposes of good-faith | testing, investigation, and/or correction of a security flaw or | vulnerability, where such activity is carried out in a manner | designed to avoid any harm to individuals or the public, and | where the information derived from the activity is used primarily | to promote the security or safety of the class of devices, | machines, or online services to which the accessed computer | belongs, or those who use such devices, machines, or online | services. | | Seems pretty reasonable. There will be arguments over what | exactly qualifies but it provides a clear guideline / reasons | where someone at the DOJ can not charge someone with good reason. | | It hopefully side steps some of the "what even is hacking / a | security breach / dude just opened browser dev tools ..." type | questions where they can look and say "He notified them of the | issue, I don't think this was in bad faith." Now you're all out | of those other weeds. | | If anything hopefully this provides a good example to trickle | down to other law enforcement agencies. | inetknght wrote: | I wonder what it means for, eg, forcing users' printer drivers | to update to a hacked firmware which notifies them that their | firmware was hackable? | | [0]: https://cybernews.com/security/we-hacked-28000-unsecured- | pri... | [deleted] | [deleted] | anonymousiam wrote: | But this is just a policy clarification and not a change to the | text of the CFAA itself. Policy is not law and there can be | arbitrary exceptions and even complete reversals of policy with | a change in power. | frankfrankfrank wrote: | I propose that this issue be affected in a different manner; | through legislation to make companies and the executive level | personally liable for any and all damages due to breaches, to | an extreme level to motivate the companies and people to | alter their positions on these matters. | | I get that people have this desire to impose their assistance | on others by testing and revealing security vulnerabilities, | however, how would you like if someone knocked on your door | one day and said, "hey, I was checking out all your doors and | windows last night while you were sleeping and hacked into | your security system, and thought you should know that it's | all suuuuuuper insecure." I doubt most of us would appreciate | that either. | | What we really really dealing with here is an abuse by the | companies/services, where they have externalized the | cost/risk of security vulnerabilities in lieu of profits and | exec bonuses. If they had to internalize the risks/costs | through my proposed damages, they would be quite motivated to | prioritize even paying for white hat pen testing type | activities, or even just opening up avenues for reporting and | rewarding. | ocdtrekkie wrote: | Bear in mind though, a complete reversal of policy could be | contested via the https://ballotpedia.org/Arbitrary-or- | capricious_test | | Sure, this isn't a revised law, considering how hard that is | to pass today, but it is a useful piece of official text from | the highest law enforcement body of the land that should be | taken to indicate what the government considers acceptable | behavior. Proving you were abiding by what the government | declared permissible is a pretty solid defense. | duxup wrote: | I'd have no problem with the law being changed too. | | However regardless how strict the law someone "could" always | abuse it anyway and some sensible level enforcement is always | needed. | | This isn't a panacea but responsible prosecution or lack of | it is important too. | zionic wrote: | The recent 5th circuit decision, once it makes to go the | Supreme Court, is going to change a lot in this regard. | giantg2 wrote: | Yep, this is very true. We see this all the time with other | agencies. For example, the ATF waffles and changes | definitions all the time resulting in felony charges for | people who owned something that was previously approved. No | reason to believe this is any different. Although it is a | step in the right direction - just not a permanent step. | pas wrote: | Laws aren't permanent either. Even the constitution was | planned to be amended regularly. | giantg2 wrote: | Yes, but laws require going through a legislative | process. Agency regulation changes happen almost | unilaterally, and generally much faster. | starwind wrote: | Policies can inform judges decision which inform precedent so | I don't think this is worthless | tptacek wrote: | Orin Kerr is commenting about this on Twitter right now and | says pretty clearly that the new policy doesn't create any | rights in court; you can use it to try to persuade DOJ not | to prosecute, but it's unlikely that you can use it as a | defense once they do. | londons_explore wrote: | Is this true? Is a valid defense in court "your honour, I'm | afraid that while I have broken the law, the prosecution | should have ignored it according to their own policies?" | xxpor wrote: | >"your honour, I'm afraid that while I have broken the | law, the prosecution should have ignored it according to | their own policies?" | | No, but I'm having a hard time finding a reference now :/ | You _may_ be able to argue malicious prosecution, in | which that may be a piece of evidence. The bar for MP is | quite high though. | dane-pgp wrote: | > You _may_ be able to argue malicious prosecution | | Another far-fetched strategy would be to argue that, | because of the government's inconsistency about how the | law is applied, the law itself might be | unconstitutionally vague.[0] This is not legal advice, | though. | | [0] https://en.wikipedia.org/wiki/Vagueness_doctrine | nicknow wrote: | No. The Principles of Federal Prosecution (Title 9 of the | Justice Manual) make very clear you can't litigate | whether a prosecutor is following DOJ's internal policies | - that's between the Assistant US Attorney, the US | Attorney, and the Attorney General. | tiahura wrote: | A judge may or may not care about DOJ's internal | policies, and DOJ's disclaimer that's not binding on them | isn't binding on the judge. | | Defendants certainly argue that a particular prosecution | is selective enforcement and will refer to DOJ policies. | cmeacham98 wrote: | Selective enforcement is legal though, no (as long as it | isn't selecting based on a protected class such as race)? | user3939382 wrote: | In the abstract, arbitrary enforcement of the law is a | serious threat to democracy. I completely agree, the law | needs to be amended. Unfortunately Congress doesn't seem to | act unless it's in the interest of their megacorp donors. | tiahura wrote: | _In the abstract, arbitrary enforcement of the law is a | serious threat to democracy._ | | No its not. Prosecutorial discretion is older than the US | Constitution. No one expects the police to pull over every | driver that is going 36 in a 35, or arrest someone speeding | to the hospital, or arrest everyone that fails to return a | library book, or arrest every birthday party with loud | music after 10. | | The police and prosecutors have always had the power to use | their good judgment and warn without citing or prosecuting. | sidewndr46 wrote: | Something being old doesn't make it a good thing. Slavery | was pretty old, we managed to get rid of that and I don't | think we're worse off. | | To your point: I'd be thrilled if police officers | actually pulled over everyone violating each and every | traffic law. It'd make roads much safer and easier to | use. As it stands where I live there is no longer any | traffic enforcement. | wolrah wrote: | > No one expects the police to pull over every driver | that is going 36 in a 35 | | Why not? If it's ever OK to pull someone over for 1 MPH | over the limit without any other violations, then why | isn't it always? Where do you draw the line? Why not | codify that instead of the strict limit? | | If there is supposed to be discretion, then the law | should acknowledge this by not providing a strict limit | and requiring that the state prove a case that the driver | was being unsafe by traveling the speed they were. If | there is a strict limit, then it should be set such that | one can reasonably say that it's always wrong to exceed | it. Saying it should be strictly enforced for some and | loosely for others just leaves room for that discretion | to be weaponized. | | --- | | It's also worth noting that at the moment speed | enforcement has a much greater impact on the poor than | the rich. | | For the most part if you can afford to hire a lawyer | speeding tickets can be converted in to zero point off- | the-record offenses and are then just a fine, and since | fines are not scaled by income in this country anyone who | has sufficient disposable income becomes effectively | immune to them where a person living paycheck to paycheck | already who then likely has to take some or all of a day | off of work to go to court might be ruined. | | Fix that and I could be in favor of strict enforcement as | long as it was truly universal. I feel like if everyone | was actually forced to obey the posted limit strictly | we'd get some progress on killing speed trap towns and | fixing the many places where a fast road has been built | with an arbitrarily low speed limit that no one ever | follows because it's insane. | Thetawaves wrote: | When unfair laws are enforced uniformly, the sons and | daughters of the legislature, or even the legislature | themselves become subject to the same laws they create. | This applies the necessary pressure to repeal unjust | laws. The alternative are laws that are only applied | against 'bad people' - as determined through some | inscrutable belief system. You should be able to imagine | how this can be used to discriminate against entire | classes of people. | InitialLastName wrote: | The difficulty that arises when people in power have the | opportunity to use judgement to decide the courses of | other peoples' lives is that we regularly see that | judgement implement their (entirely human, but unjust) | biases. Maybe they let the hot girl run a stop sign, but | do an "exploratory stop" on the black dude because he | "looks sketchy", escalate to a strip search because of a | "odor of marijuana" and leave him with his car | disassembled on the side of the road when they don't find | anything (assuming nobody catches a beating or a bullet | over a miscommunication). | | On the other hand, efforts to constrain that power have a | tendency to encode societal biases and injustices in law | (see mandatory minimum sentences as a prime example), so | it's not at all clear what the right compromise is. | tiahura wrote: | Then fire them and get new ones. We want the system | biased towards non-prosecution. | robonerd wrote: | On the other hand, airtight enforcement of all laws is a | serious threat to liberty. Laws are imperfect and | prosecutorial discretion is an important safety mechanism | to prevent people in odd edge cases (which it turns out, | are common) from getting unjustly maimed by the legal | apparatus. Adjusting laws is also part of the process, but | that is a slow process (another safety mechanism.) | netizen-936824 wrote: | Sounds to me like we need to write better laws | nkrisc wrote: | Yes. But the world is too complex to write perfect laws | so we must always account for discretion. Writing better | laws is a goal, not a solution. | monocasa wrote: | I agree that it's not a perfect solution (there's rarely | such a thing in the application of law), but it's a | better solution than a single DoJ administration's policy | statements. | robonerd wrote: | Both at once works better than trusting just one. Think | of it as Defense in Depth. | monocasa wrote: | I don't think anyone is suggesting anything different, | only that a change in law would be much stronger | effective defense and something to also strive for | (despite also not being perfect). | duskwuff wrote: | We do! The CFAA was literally a reaction to the film | _WarGames_ , written in an era where computers were rare | and unusual, and very few people had any legitimate | reason to access a computer network. It's long past time | that it was updated to reflect modern reality and | expectations. | | But in the meantime, it's great that the DOJ is | explicitly denouncing some of the more ridiculous | interpretations of the CFAA. No reasonable person would | expect that violating a web site's Terms of Service could | result in criminal charges, for example. | cstejerean wrote: | While the original CFAA goes back to 1986 it was amended | a few times and IIRC the broad expansion happened in | 2008. | StillBored wrote: | Or at least in the USA, actually seat a "jury of ones | peers" rather than random Joes that can barely turn on a | computer. For computer related crimes it shouldn't be | that hard to find people working in a technology oriented | field. | supertrope wrote: | A jury of one's peers means a random selection of the | public. In England the Magna Carta codified this due | process protection and it means that noblemen would be | judged by other private individuals in their social class | instead of by the King's functionaries. | robonerd wrote: | That's a difficult principle to generalize. Surely cops | shouldn't get juries comprised of other cops. A lot of | professions are known for circling the wagons and | protecting their own (and I think tech is not the worst, | but certainly not an exception.) | monocasa wrote: | The law interprets "jury of ones peers" differently than | that. It specifically doesn't want them to be subject | matter experts since each side will bring their own | expert witnesses. It instead simply wants them to be | ordinary, unattached members of the public rather than | judges, prosecuters, politicians, or the victims | themselves. | nybble41 wrote: | Right, your legal peers are members of the same social | class (commoner, aristocracy, royalty), not people who | work in the same field. In the US there is only one | official social class, so everyone is your peer. | | There does seem to be an issue with baseline education | standards and the ability of the jury to understand the | evidence which they deliberate on, however. To an extent | it's the lawyers' job to ensure that the jury understands | their arguments, but no reasonable effort from a lawyer | over the course of a single trial is going to make up for | a lack of basic familiarity with the subject matter, | which might normally take years to acquire. There is | something to be said for systems which rely on | professional jurors rather than random members of the | public. | gwright wrote: | I once asked a friend who litigates patent infringement | cases how a jury could possibly come to an informed | decision on these cases. He said that it is definitely a | challenge but that juries are pretty good at discerning | when someone is lying or dissembling and litigators can | build cases or defenses around that. | | Definitely anecdote and not data, but I found it | interesting coming from a litigator in this area. | nybble41 wrote: | > ... prosecutorial discretion is an important safety | mechanism to prevent people in odd edge cases ... from | getting unjustly maimed by the legal apparatus. | | I agree, but there needs to be a mostly-automatic | mechanism whereby repeated exercise of this discretion | affects the law itself, so that you don't create the | opposite problem: people getting unjustly maimed by the | legal apparatus because a prosecutor decided to use their | "discretion", for whatever reason, to enforce an obsolete | law which was still on the books even though it's almost | never enforced. (Because legislators apparently have | better things to do than repeal old laws which aren't | affecting hardly anyone.) | | A law which consistently goes unenforced should | eventually become unenforceable, not remain | discretionary. Consider this an application of the | estoppel principle: If you choose not to enforce the law | in cases A, B, and C, you shouldn't be able to later try | to enforce it in case D without showing that there is | some substantial difference between D and the first three | cases. | | Mandatory sunset clauses would be another good idea, | along with a requirement that the entire bill, along with | any external documents incorporated by reference (e.g. | building codes), must be read into the official record | with a quorum of the legislature present before it can be | passed or renewed. | reaperducer wrote: | _Mandatory sunset clauses would be another good idea_ | | Some states have a government body that does nothing but | review old laws and rules and agencies to see if they're | still needed. | | I don't know how successful they are (for varying | definitions of "successful,") but they do exist. | dane-pgp wrote: | To give an example, the UK has passed seventeen "Statute | Law (Repeals) Acts"[0] since 1969, the most recent[1] | being in 2013, which repealed the whole of 817 Acts of | Parliament, and portions of more than 50 others (on the | advice of the Law Commission[2]). | | [0] https://en.wikipedia.org/wiki/Statute_Law_%28Repeals% | 29_Act | | [1] https://en.wikipedia.org/wiki/Statute_Law_%28Repeals% | 29_Act_... | | [2] https://en.wikipedia.org/wiki/Law_Commission_%28Engla | nd_and_... | yebyen wrote: | > Mandatory sunset clauses would be another good idea, | along with a requirement that the entire bill, along with | any external documents incorporated by reference (e.g. | building codes), must be read into the official record | with a quorum of the legislature present before it can be | passed or renewed. | | This is one of the most sensible things I've heard | proposed that will never work. (I'm saying that, if laws | are so complicated that no human can learn them well | enough to keep themselves in compliance without | assistance of a compliance department, or so complicated | that even the people who are directly responsible for | them cannot be bothered with being made aware of the | details and double checking that they still make sense on | a somewhat regular basis... then they are too | complicated.) | | I think it will never work because complex things are | complex for a reason on the balance, and because we're | already "too deep to dig ourselves out of this hole." But | in principle I agree wholeheartedly with this idea. | salawat wrote: | Translation: | | I want it to be easy add new ways to strip another person | of their rights without being burdened by having to | understand the system as a whole. | | -A complaint from every developer and legislator ever. | yebyen wrote: | Where do you get that anyone wants to strip anyone's | rights away from within this conversation? | | We're talking about laws, which generally bind | individuals to certain behaviors. Laws do not make rights | as far as I'm aware (and IANAL), they are "God-given." At | least in US legal tradition, as I understand, the default | position of the law is that you are allowed to do | anything which does not infringe on anyone else's | enumerated rights, and laws can only bind you from doing | things which you would otherwise be free to do in the | absence of those laws. | | If the laws which bind our behaviors are so complex they | cannot be read aloud in their totality in any practical | time period then how is anyone (let alone anyone whose | profession is not "the law" or acting in legislature) | ever to be expected to understand them _as a whole_? | (Especially when certain laws have traditionally gone | unenforced, to borrow from the original context of this | thread.) | | The law should be possible to understand. That is a | decent aspirational goal. I'm not sure what you think I | meant but it's not what you said. | dataflow wrote: | https://en.wikipedia.org/wiki/Desuetude | RajT88 wrote: | > people in odd edge cases (which it turns out, are | common) | | Common in this case because the CFAA is often used not as | an enforcement tool, but as a way of silencing critics, | stifling scrutiny or just in general saving face. | vkou wrote: | 1. There isn't a single country in the world that does not | use policy as the cornerstone of day-to-day governance, | procedure, and enforcement. | | 2. There can be arbitrary changes to law too, with a change | in power. | | You have numerous forms of redress when you feel that policy | is incompatible with law. You can ask the agency in question. | You can ask a legislator to pressure the agency. You can ask | a legislator to write an explicit law. You can take the | agency to court. You can elect an executive that can lay down | policy requirements on their subservient agencies. | | There's a very unfortunate political meme in this country, | that frequently repeats the lie that policy (executive or | otherwise) is not the product of elected government. Like any | magical spell, if repeated loudly, and frequently enough, I | suppose its disciples might will it into being. | | When you don't like how the state's prosecutor's office | works, in this country, you can elect a new head prosecutor, | who will make changes in their department. When you don't | like how the federal prosecutor's office works, in this | country, you can elect a new executive. All of these agencies | under thus, under direct democratic control. | ahtihn wrote: | > 2. There can be arbitrary changes to law too, with a | change in power. | | Arbitrary changes to law aren't retroactive in general. If | you did something in the past that has later become | illegal, you can't be prosecuted. The same doesn't apply | for policy changes. | vkou wrote: | There is no prohibition on the legislature passing civil | ex-post-facto laws, only criminal. | | Agencies can only enforce ex-post-facto policy changes if | congress explicitly authorized them to. | | ... Also, as Matt Levine points out, executive agencies | are prohibited by law from making capricious and | arbitrary policy changes. Congress is not bound by any | such restrictions - it can pass legislature that is as | capricious and arbitrary, and as completely devoid of | public input as it likes. | bandyaboot wrote: | Agreed. People who care about this stuff should absolutely | keep this in mind when they're voting for who should be in | power. | pvarangot wrote: | This was a constant PITA while I was on an H1B and while not | changing the laws, they kept on changing exactly how they | interpreted everything. | | My lawyers told me also to not use government benefits while | on a Green Card, because even though it's probably ok and | won't harm my chances at citizenship they may change how they | interpret it later down the road and even though I was in the | clear when I got the benefits it might as well become a | showstopper later on. | legalcorrection wrote: | [deleted] | cmeacham98 wrote: | Citation? | VLM wrote: | It presents strongly in the courtroom for the defense. | | Even the worst case scenario of it being revoked in the | future, "The jury needs to know the government cannot make up | its mind if the defendant committed a crime, or more likely, | did not commit a crime." | | "Preponderance of the Evidence" is simply going to be tougher | when this is handed to the defense. | ConcernedCoder wrote: | "paying bills at work" -- yikes! | Jiro wrote: | This is good and bad at the same time. It's like having a law | that says that the police can shoot anyone at will, and then | announcing that since people were concerned that the police would | shoot someone going to the grocery store, all police are ordered | to not do that. | | It's better than shooting people for going to the grocery store, | but the real problem is the law. | | What's actually happened is that the government interprets the | CFAA so broadly that it's easily abused, people have been | pointing this out in court, and the government response is to | keep the broad interpretation but announce they won't enforce | those specific abusive examples. What they _should_ do is admit | that their interpretation is too broad; this is smoke and mirrors | to avoid doing so. | BarryMilo wrote: | One more step toward in an authoritarian direction. Vague laws | with arbitrary interpretations are bad for democracy. | dragonwriter wrote: | The US government isn't unitary. The executive branch controls | enforcement policy, the judicial branch controls | interpretation, and those can disagree. Your "they" refers to | separate institutions that do not have control over each other. | lostdog wrote: | He's implicitly saying that the legislative branch is failing | here, so yeah, it's bad overall. Plus the executive branch | does have significant control over legislation, and it's also | bad that they're not trying to fix the law. | | Overall, this individual move by the justice department is | good, but it's bad that more isn't being done. | lcnPylGDnU4H9OF wrote: | > What they _should_ do is admit that their interpretation is | too broad; this is smoke and mirrors to avoid doing so. | | It seems to me that these guidelines are their admission that | previous interpretations had been too broad. I'm curious what | you would otherwise expect to see (like, actually just curious; | hopefully that doesn't sound confrontational). | infogulch wrote: | I would expect that a law that _can_ be interpreted too | broadly should have its text changed so that such broad | interpretations are impossible. | thfuran wrote: | Our legislative branch is completely ineffectual though. | rektide wrote: | Feels weird that a law can apply to too much & be damaging to | society to such a degree that the judicial arm of government just | agrees it'd be awful to enforce the law & declares that they dont | intend to. | fnordpiglet wrote: | Note this is the executive branch not the judicial. Sadly laws | are so hard to legislate now this is how fixes are often being | done - piece meal, weakly, and subject to random changes by | political whim. | YesThatTom2 wrote: | That's how law works. | mattnewton wrote: | Checks and balances. It's not great but it is a way around the | current legislature which has become increasingly paralyzed by | partisanship. | dragonwriter wrote: | The US Department of Justice is not the judicial arm of | government, but the executive. | pitaj wrote: | It's one of the many checks and balances we have available. | duxup wrote: | SCOTUS already shrunk the scope of some laws (I think it was | the CFAA) where they disagreed that simply violating a local | policy about computer usage === CFAA. | | I think this is a slow but natural process to narrowing it | down. | [deleted] | DannyBee wrote: | It is often not possible or desirable to have laws that are so | complete and exhaustive that they require 0 interpretation. | Laws, like most thing, are designed to try to balance | flexibility and clarity where necessary. Otherwise, they are | mostly worthless, or become worthless very quickly. (and no, | you can't just make them super explicit and constantly update | them, it's completely intractable) | | As a result, pieces of government offering guidance/manuals for | their enforcement is very common. | | This is true both criminally and civilly. | | For example, the USPTO maintains the "manual of patent | examining procedure" that somewhat exhaustively interprets | patent law. | 1vuio0pswjnm7 wrote: | "Embellishing an online dating profile contrary to the terms of | service of the dating website; creating fictional accounts on | hiring, housing, or rental websites; using a pseudonym on a | social networking site that prohibits them; checking sports | scores at work; paying bills at work; or violating an access | restriction contained in a term of service are not themselves | sufficient to warrant federal criminal charges." | shockeychap wrote: | > The policy for the first time directs that good-faith security | research should not be charged. | | > Accordingly, the policy clarifies that hypothetical CFAA | violations that have concerned some courts and commentators are | not to be charged. Embellishing an online dating profile contrary | to the terms of service of the dating website; creating fictional | accounts on hiring, housing, or rental websites; using a | pseudonym on a social networking site that prohibits them; | checking sports scores at work; paying bills at work; or | violating an access restriction contained in a term of service | are not themselves sufficient to warrant federal criminal | charges. | | > However, the new policy acknowledges that claiming to be | conducting security research is not a free pass for those acting | in bad faith. For example, discovering vulnerabilities in devices | in order to extort their owners, even if claimed as "research," | is not in good faith. | | What exactly does this policy change even mean? Who was being | charged with a federal crime for checking a sports score or | paying a bill at work? And since the claim to be conducting | security research is not a "free pass" for unauthorized research, | I'd really like to know who exactly was being charged under the | old policy that is protected by the new? | | This "change" just seems like a bunch of pointless grandstanding. | duxup wrote: | Sometimes grandstanding makes sense. | | "We're not going to charge people for security research", might | reduce the chilling effects of some company threatening some | rando researcher. | shockeychap wrote: | How, exactly, when you qualify it with, "However, the new | policy acknowledges that claiming to be conducting security | research is not a free pass for those acting in bad faith. | For example, discovering vulnerabilities in devices in order | to extort their owners, even if claimed as "research," is not | in good faith."? | | Seems the rando researcher is subject to the same liabilities | as before. | duxup wrote: | I think that line is just there to state the obvious that | you can't say "security researcher" and get off free... | your actions determine if you are acting as a researcher, | not just a claim. | | I don't find that the least bit weird. | shockeychap wrote: | "discovering vulnerabilities in devices in order to | extort their owners, even if claimed as "research," is | not in good faith." | | If I had just discovered a vulnerability, and didn't have | a written contract authorizing me to do the research, I | wouldn't feel the least bit of additional protection from | this policy change, and would probably refrain from | extorting the owner. | | Edit: I had read "extorting" as "extolling" and | associated with notification, not extortion. (I even | typed "extorting" in this response.) I stand corrected, | as extortion changes the tone of the qualification. | duskwuff wrote: | You should probably refrain from extorting anyone, | regardless of the circumstances. :) | ok123456 wrote: | Is full disclosure good faith? | tptacek wrote: | Yes, by the plain language of the policy linked at the bottom | of the press release. You only get in trouble if you tease a | vulnerability and tell the target "I'm going to disclose | publicly if you don't pay me". | bastardoperator wrote: | Who determines "good faith"? This reminds me of when police say: | | "If you have something illegal on you, tell me now, because I | won't be able to help you later" | | Police had no intention of "helping" anyone, this is a lie that | makes life easier for police and prosecutors when it comes to | charging an individual. | | Would I be acting in good faith if I expect a monetary outcome | for my research? | bragr wrote: | Either way, don't talk to the police. You can't talk your way | out of charges, only talk your way into more charges. | | >Who determines "good faith"? | | If there's a real dispute about this and you've been charged, | ultimately it is up to the jury to decide. | l33t2328 wrote: | This is a bad interpretation of good advice. Yes, once you're | booked and in the interrogation room, shut up and lawyer up. | But on the street... | | You can absolutely talk your way out of things, and you can | "assert your rights" into charges. | | If you refuse to do anything more than legally obligated at a | traffic stop, you could easily get a ticket instead of a | warning. | shadowgovt wrote: | > who determines "good faith?" | | In this context, it's the DOJ chain of command. This sort of | memorandum isn't something that will impact a person's day in | court directly should they be prosecuted; it indicates to | prosecutors what the Executive branch would consider a | "career-limiting move" to waste public resources prosecuting. | | Compare with the Obama-era guidance about federal drug law | enforcement in states that had decriminalized marijuana. | Technically, marijuana never stopped being a (federal) | controlled substance, and _every_ state grow operation and | distribution center is in violation of federal law. Obama | made clear that enforcing that law in those states would be a | great way to send a strong signal to one 's boss "I'm | comfortable at my current level of achievement and feel no | need to ever be promoted in the future," and that policy | basically hasn't changed in the intervening two | administrations. But the federal law is unchanged on the | matter. | tptacek wrote: | "Good faith" is carefully defined in the policy linked at the | bottom of the press release you're commenting on. | mewse-hn wrote: | I went down a small rabbit hole after reading this, curious if it | would have saved Aaron Swartz's life. | | It seems the lynchpin of the prosecution of Aaron Swartz was that | the CFAA criminalizes the breaking of a Terms of Service | agreement (ie. it is a felony to break a terms of service). | | They've attempted to address this with "Aaron's law" but it is | stalled in committee - people have blamed Oracle for lobbying it | to be blocked. | | So.. this is a nice move from the DoJ, but not enough. Patching | up a bad law with a policy to protect good faith security | researchers is good, but it's still a bad law. | oversocialized wrote: | tptacek wrote: | Swartz wasn't doing security research, and was charged with | wire fraud, not just unauthorized use under CFAA. This wouldn't | have helped him. | | He'd also likely have been undone by the provisos attached to | "exceeding unauthorized access"; the red line the new policy | draws is that once DOJ can demonstrate that someone _knowingly_ | exceeded their access, they 're fair game, even if the | conditions they violated were spelled out only in a contract or | terms of use. | chrisfinazzo wrote: | IANAL, but I question whether the wire fraud charge would | hold up. The layman's definition doesn't seem to apply. | | Of course, my memory my be failing me as to details that | would make it relevant in his case. | | https://en.wikipedia.org/wiki/Mail_and_wire_fraud#Wire_fraud | tptacek wrote: | The layman's definition doesn't matter in the least. What | matters are the jury instructions, which you can look up. | The court system does not in fact leave it up to whatever | definitions of a crime happen to be bouncing around in the | jury's heads; the conditions required to find someone | guilty of a crime tend to be spelled out in great detail. | chrisfinazzo wrote: | Jury instructions which are sure to include a version of | "the wire fraud statute is defined as x, for those of you | who are not attorneys, think of this as {{ Insert | layman's definition here }}." | | Rephrasing would help the jury understand how to evaluate | Aaron's actions and determine whether or not they meet | the standard. | | I may be missing something about what transpired that | causes me to think that it does not apply, but you can be | sure that the jury will have heard evidence from the | prosecution which lays out why they believe it is | relevant in this particular case. | Uehreka wrote: | Here are some Model Jury Instructions for Wire Fraud | charges from the 9th circuit: | https://www.ce9.uscourts.gov/jury-instructions/node/583 | | They're not what I would call a "layman's definition". | When you're on a trial like this, you'll probably get a | printed out version of these instructions to read over | and over while deliberating. And the lawyers on each side | will try to contextualize their arguments against this | exact language (as long as the judge doesn't think | they're being misleading or breaking other rules). | | You may not come into the trial as an expert on wire | fraud, but the court will give you the background info | you need, and you're expected to make a judgement based | on the law. | tptacek wrote: | No, that's not how jury instructions work. Just go look | them up! They're incredibly useful for message board | discussions about specific crimes. | gnfargbl wrote: | > even if the conditions they violated were spelled out only | in a contract or terms of use. | | Is that correct? In https://www.justice.gov/opa/press- | release/file/1507126/downl..., I see: | | > that division is established in a computational sense, that | is, through computer code or configuration, rather than | through contracts, terms of service agreements, or employee | policies | | and later | | > A CFAA prosecution may not be brought on the theory that a | defendant exceeds authorized access solely by violating an | access restriction contained in a contractual agreement or | term of service with an Internet service provider or web | service available to the general public | | and | | > the Department will not take the position that a mere | contractual violation caused the user's previous | authorization to be automatically withdrawn | | However, any previous authorization _is_ withdrawn if you | receive something that you should understand as a C &D. | | It seems to me that this new policy says that to reach the | threshold for CFAA prosecution you must now do more than | "just" violate the terms of service. Am I misreading? | ARandomerDude wrote: | > curious if it would have | | Hypotheticals like this are difficult to answer seriously. | Still, if I had to guess, I suspect he would have been | prosecuted nonetheless because he wasn't a good faith security | researcher. | shadowgovt wrote: | Better mental healthcare might have saved Swartz's life, not | different laws. | jedberg wrote: | One the one hand, you're absolutely right. Anyone who kills | themselves clearly had some sort of mental health issue. But | on the other hand, he grew up in a wealthy family and briefly | attended Stanford -- he had access to some of the best health | care in the world already. | | So I'm not sure better mental healthcare would have helped. | Probably more along the lines of destigmatizing mental | healthcare might have helped, which is a much harder problem | to solve, but also something that thankfully Millennials/Gen | Z are doing on their own. It's no longer taboo to mention | that you're in therapy. | mc4ndr3 wrote: | Require publicly funded research to publish results publicly, | instead of hiding it in paid gardens. | tzs wrote: | It wouldn't have made a difference. People tend to forget just | how much effort Swartz put into repeatedly evading MIT's | attempts to kick him off their network. That's not the kind of | situation this policy change is trying to address. | | Heck, from the description of "Aaron's law" on Senator Wyden's | site I'm not sure that would have made a difference either. It | probably would have at most reduced some of the redundant | charging, but since the redundant charging doesn't actually add | to the sentence if convicted it would not really have affected | the ultimate outcome much. | | There's a good summary of the long cat and mouse game to try to | kick him off the network, and an analysis of the various | charges against him and how likely they were to stick here [1]. | | [1] https://volokh.com/2013/01/14/aaron-swartz-charges/ | givemeethekeys wrote: | I don't trust this. How many administrations and ruined lives did | it take? Why did it take so long? | tptacek wrote: | I don't know. How many lives did it ruin? How many people in | the US have been charged under CFAA for doing security | research? | mindcrime wrote: | Not only that, but as merely a change in policy, as opposed to | a change in the actual law, it's more or less alterable on a | whim. A new administration, or even _this_ administration could | reverse this at the drop of a hat. So it 's not exactly | something to rely on to any tremendous degree. | glitcher wrote: | Exactly, and this point is even illustrated in the final | words of the last sentence of the announcement: | | "The new policy replaces an earlier policy that was issued in | 2014, and takes effect immediately." | kingcharles wrote: | Good luck on this. Might not stop you getting arrested and put | into pretrial detention for years until you find the right | prosecutor to dismiss the charges. | | A policy isn't a change in the law. The statute needs to be | changed to add an exemption for security research. Until that | happens I'd be careful. | pluram4815 wrote: ___________________________________________________________________ (page generated 2022-05-19 23:00 UTC)