[HN Gopher] Department of Justice announces new policy for charg...
___________________________________________________________________
Department of Justice announces new policy for charging cases under
the CFAA
Author : JumpCrisscross
Score : 292 points
Date : 2022-05-19 15:27 UTC (7 hours ago)
(HTM) web link (www.justice.gov)
(TXT) w3m dump (www.justice.gov)
| bragr wrote:
| Maybe, if you have to have a huge policy about all the different
| situations in which a law shouldn't apply, you have a bad law
| that needs fixing.
| rolph wrote:
| -make it clear who is not authorized to access your system.
|
| -make it clear where out of bounds begins despite authorization.
|
| -make it clear that when not explicitly authorized, any scanning,
| sniffing, spoofing etc. ; will be considered preparation for an
| attack; good faith cant exist unless you are explicitly
| authorized to probe the system.
|
| "The policy focuses the department's resources on cases where a
| defendant is either not authorized at all to access a computer or
| was authorized to access one part of a computer -- such as one
| email account -- and, despite knowing about that restriction,
| accessed a part of the computer to which his authorized access
| did not extend, such as other users' emails"
| gibolt wrote:
| This doesn't work. You are basically suggesting no one 'non-
| authorized' can find serious vulnerabilities. We save all of
| those for bad actors who are already outside the law.
| rolph wrote:
| im not only suggesting that, i enforce it. if your not
| invited to contact my system stay away from it, im the one
| looking for vulnerabilities, if someone thinks they can do a
| better job they can email me and ask for permission, exchange
| notes etc.
|
| if an unauthorized, unrecognized contact starts snooping
| around my edge, they will be put on the graylist.
| WalterGR wrote:
| "The policy for the first time directs that good-faith security
| research should not be charged."
| KennyBlanken wrote:
| Which does not represent a change in action:
|
| > The new policy states explicitly the longstanding practice
| [...]
|
| Someone is inevitably going to bring up Aaron Swartz as the
| poster child for overzealous federal prosecution. To head that
| off at the pass:
|
| - Swartz persisted in his downloading of JSTOR documents
| despite knowing that he was causing what amounted to a denial
| of service attack. He significantly impacted researcher around
| the globe, for weeks. The impact of this on the scientific
| community is not understood by most armchair Swartz defenders;
| publication and grant deadlines, for example, do not wait for
| "I can't get access to the papers I need on JSTOR." He even set
| out to speed up the rate at which he was downloading articles
| by deploying more equipment on MIT's network.
|
| - JSTOR is a non-profit organization that exists for the sole
| purpose of archiving, cataloging, and providing _low cost
| access_ to journals for small organizations. It 's a bit like
| protesting high food prices and half-a-trillion-dollar farm
| bills...by repeatedly chaining shut the doors of the local co-
| op grocery store because they "enable the system" (or
| something.)
|
| - Swartz had gotten in trouble for pulling this sort of stunt
| with PACER (which was far more deserving; the federal court
| system is mandated to provide the service at cost but has been
| inflating fees at an astronomical rate, essentially treating it
| as a for-profit business piggy bank.) The FBI and federal
| prosecutors pulled him in for a meeting and said "tread very,
| very carefully, son." What did he do? Ran along and did the
| same thing with JSTOR.
|
| - Swartz was initially indicted by a grand jury. Common folks,
| not devil-horned federal prosecutors, thought there was a case.
|
| It is often reported/claimed that Swartz was "going" to jail
| for X decades or "facing" X decades of jail time
|
| - The case never went to trial and it is unlikely he would have
| been convicted of all charges (though it is almost certain he
| would have been convicted of at least some of the charges; he
| left a preponderance of evidence.)
|
| - The claim of X years is based off combining maximum
| sentencing guidelines for all the charges, which is _never_ the
| result for white collar criminal convictions.
|
| And last but not least: prosecutors spent _a year and a half_
| negotiating a plea deal - down to _a few months_ in Club Fed.
| He then refused the deal, in a way that made it look very much
| like he 'd purposefully yanked prosecutor's chains while trying
| to win his case in the court of public opinion.
|
| He rejected the deal over the advice of legal _team_ I 'd
| classify as "better than the best money can buy", friends
| (including people like Lawrence Lessig), his family, his
| partner, etc. Swartz was happy to knowingly do the crime and
| wanted the glory and cred for it, but his ego could not stand
| the possibility of "the time".
| tptacek wrote:
| _Swartz was initially indicted by a grand jury. Common folks,
| not devil-horned federal prosecutors, thought there was a
| case._
|
| Careful, here. Grand juries are mostly a pro-forma thing; in
| all but the most egregious cases, they're going to rubber
| stamp indictments.
| bragr wrote:
| It's true that grand juries indict most cases brought
| before them - the standard is lower than at a trial and you
| don't get to put on a defense - but I don't think it's fair
| to characterize them as rubber stamps as they do
| occasionally refuse to indict, and by definition we never
| know about all the potential cases that could have been
| brought but weren't because the prosecutor didn't think a
| grand jury would go for it. It's not a cure all for abuse,
| but it does mostly ensure charges pass a basic sniff test
| from a neutral 3rd party.
| mbg721 wrote:
| How much of a grand jury's job is actually justice, as
| opposed to being a way to avoid wasting the court's time?
| robonerd wrote:
| I believe the saying is a grand jury would indict a ham
| sandwich.
| pbhjpbhj wrote:
| I followed the case a little but don't remember any
| suggestions that he was singularly performing a DoS attack
| from the closet at MIT. Could you cite a contemporaneous
| source for that?
|
| Also, it's interesting to consider the massive benefit to
| scientific communities that Sci-Hub has brought. And how the
| trend since Swartz has been to ever increasing open access
| and to cut out the rent seekers.
|
| It seems like Swartz helped to light a path that, in general,
| scientific communities have followed.
|
| Liberating scientific knowledge, verses those who would
| rather lock that knowledge up and charge rent to use it ...
| which side are the criminals.
|
| His methodology was far from perfect, but you paint the
| liberation of scientific knowledge as if it were the crime of
| the century. I guess you think Sci-Hub is the devil's
| chariot?
| icodestuff wrote:
| Policy is nice, but what's the statute of limitations? If the
| next administration can decide to bring charges, this is no
| protection.
| bragr wrote:
| CFAA is only 2 years so that's not a huge problem
| icodestuff wrote:
| For the next 8 months.
| [deleted]
| mc4ndr3 wrote:
| Big and true.
|
| I don't care about the specifics, I don't care that the revision
| will certainly have some flaws. But it matters that anyone
| bothered to push for the security angels. This makes for a
| healthier security landscape. For more honest penetration tests.
| For adding more volunteers to the good side. Really, how did this
| even pass the usual hurdles to progress???
| your_username wrote:
| 1970-01-01 wrote:
| This effectively changes nothing. Authorization is still in
| quotes and remains subjective.
| tptacek wrote:
| The policy, linked to the bottom of the press release you're
| commenting on, goes into depth about what "authorization"
| means, and, more importantly, what it does not mean.
| 1970-01-01 wrote:
| Indeed, it means companies get a loophole for not paying for
| your bug bounty research because it wasn't done in "g00d
| f@ith" and is "3x70r710n":
|
| "for the purpose of discovering security holes in devices,
| machines, or services in order to extort the owners of such
| devices, machines, or services--might be called "research,"
| but is not in good faith."
| burnished wrote:
| Are you imagining that a security researcher trying to get
| money from a bug bounty program would be considered
| extortion? Unless said hypothetical researcher says "pay me
| or I sell the exploit to the highest bidder", I don't
| believe the situation you are worried about could exist.
| bragr wrote:
| Companies' bug bounty programs are bound by their terms of
| service, not by this policy or the CFAA so I'm not sure
| what you are complaining about. Additionally companies are
| under no obligation to pay anyone for security research
| they did on their own (which is not to say that's a good
| policy) but they don't have to, and attempting to extort
| them into paying was crime before and it's still a crime.
|
| The main people I would say this impacts is the people
| doing security research as a pure research pursuit, a
| hobby, otherwise as journalism or in the public interest.
| 1970-01-01 wrote:
| Having a bug bounty system designed to maximize the work
| put into testing a system with minimum payout is my chief
| complaint. The new "policy" does nothing to help that.
| KerrAvon wrote:
| No one is being compelled to do the work. Are you really
| saying you want the government involved in setting rates?
| 1970-01-01 wrote:
| Rates would be going too far. I would like to see an
| exception for non-payment for services rendered.
| bragr wrote:
| You seem to confusing criminal federal law concerning
| unauthorized computer access with a civil federal law
| regulating the trade of software vulnerabilities, which
| is what you'd need to solve the "problem" you are
| complaining about.
| tptacek wrote:
| Nobody needs a loophole to not pay for DMARC configuration
| reports and logout CSRFs; they can just not pay.
| duxup wrote:
| >The policy for the first time directs that good-faith security
| research should not be charged. Good faith security research
| means accessing a computer solely for purposes of good-faith
| testing, investigation, and/or correction of a security flaw or
| vulnerability, where such activity is carried out in a manner
| designed to avoid any harm to individuals or the public, and
| where the information derived from the activity is used primarily
| to promote the security or safety of the class of devices,
| machines, or online services to which the accessed computer
| belongs, or those who use such devices, machines, or online
| services.
|
| Seems pretty reasonable. There will be arguments over what
| exactly qualifies but it provides a clear guideline / reasons
| where someone at the DOJ can not charge someone with good reason.
|
| It hopefully side steps some of the "what even is hacking / a
| security breach / dude just opened browser dev tools ..." type
| questions where they can look and say "He notified them of the
| issue, I don't think this was in bad faith." Now you're all out
| of those other weeds.
|
| If anything hopefully this provides a good example to trickle
| down to other law enforcement agencies.
| inetknght wrote:
| I wonder what it means for, eg, forcing users' printer drivers
| to update to a hacked firmware which notifies them that their
| firmware was hackable?
|
| [0]: https://cybernews.com/security/we-hacked-28000-unsecured-
| pri...
| [deleted]
| [deleted]
| anonymousiam wrote:
| But this is just a policy clarification and not a change to the
| text of the CFAA itself. Policy is not law and there can be
| arbitrary exceptions and even complete reversals of policy with
| a change in power.
| frankfrankfrank wrote:
| I propose that this issue be affected in a different manner;
| through legislation to make companies and the executive level
| personally liable for any and all damages due to breaches, to
| an extreme level to motivate the companies and people to
| alter their positions on these matters.
|
| I get that people have this desire to impose their assistance
| on others by testing and revealing security vulnerabilities,
| however, how would you like if someone knocked on your door
| one day and said, "hey, I was checking out all your doors and
| windows last night while you were sleeping and hacked into
| your security system, and thought you should know that it's
| all suuuuuuper insecure." I doubt most of us would appreciate
| that either.
|
| What we really really dealing with here is an abuse by the
| companies/services, where they have externalized the
| cost/risk of security vulnerabilities in lieu of profits and
| exec bonuses. If they had to internalize the risks/costs
| through my proposed damages, they would be quite motivated to
| prioritize even paying for white hat pen testing type
| activities, or even just opening up avenues for reporting and
| rewarding.
| ocdtrekkie wrote:
| Bear in mind though, a complete reversal of policy could be
| contested via the https://ballotpedia.org/Arbitrary-or-
| capricious_test
|
| Sure, this isn't a revised law, considering how hard that is
| to pass today, but it is a useful piece of official text from
| the highest law enforcement body of the land that should be
| taken to indicate what the government considers acceptable
| behavior. Proving you were abiding by what the government
| declared permissible is a pretty solid defense.
| duxup wrote:
| I'd have no problem with the law being changed too.
|
| However regardless how strict the law someone "could" always
| abuse it anyway and some sensible level enforcement is always
| needed.
|
| This isn't a panacea but responsible prosecution or lack of
| it is important too.
| zionic wrote:
| The recent 5th circuit decision, once it makes to go the
| Supreme Court, is going to change a lot in this regard.
| giantg2 wrote:
| Yep, this is very true. We see this all the time with other
| agencies. For example, the ATF waffles and changes
| definitions all the time resulting in felony charges for
| people who owned something that was previously approved. No
| reason to believe this is any different. Although it is a
| step in the right direction - just not a permanent step.
| pas wrote:
| Laws aren't permanent either. Even the constitution was
| planned to be amended regularly.
| giantg2 wrote:
| Yes, but laws require going through a legislative
| process. Agency regulation changes happen almost
| unilaterally, and generally much faster.
| starwind wrote:
| Policies can inform judges decision which inform precedent so
| I don't think this is worthless
| tptacek wrote:
| Orin Kerr is commenting about this on Twitter right now and
| says pretty clearly that the new policy doesn't create any
| rights in court; you can use it to try to persuade DOJ not
| to prosecute, but it's unlikely that you can use it as a
| defense once they do.
| londons_explore wrote:
| Is this true? Is a valid defense in court "your honour, I'm
| afraid that while I have broken the law, the prosecution
| should have ignored it according to their own policies?"
| xxpor wrote:
| >"your honour, I'm afraid that while I have broken the
| law, the prosecution should have ignored it according to
| their own policies?"
|
| No, but I'm having a hard time finding a reference now :/
| You _may_ be able to argue malicious prosecution, in
| which that may be a piece of evidence. The bar for MP is
| quite high though.
| dane-pgp wrote:
| > You _may_ be able to argue malicious prosecution
|
| Another far-fetched strategy would be to argue that,
| because of the government's inconsistency about how the
| law is applied, the law itself might be
| unconstitutionally vague.[0] This is not legal advice,
| though.
|
| [0] https://en.wikipedia.org/wiki/Vagueness_doctrine
| nicknow wrote:
| No. The Principles of Federal Prosecution (Title 9 of the
| Justice Manual) make very clear you can't litigate
| whether a prosecutor is following DOJ's internal policies
| - that's between the Assistant US Attorney, the US
| Attorney, and the Attorney General.
| tiahura wrote:
| A judge may or may not care about DOJ's internal
| policies, and DOJ's disclaimer that's not binding on them
| isn't binding on the judge.
|
| Defendants certainly argue that a particular prosecution
| is selective enforcement and will refer to DOJ policies.
| cmeacham98 wrote:
| Selective enforcement is legal though, no (as long as it
| isn't selecting based on a protected class such as race)?
| user3939382 wrote:
| In the abstract, arbitrary enforcement of the law is a
| serious threat to democracy. I completely agree, the law
| needs to be amended. Unfortunately Congress doesn't seem to
| act unless it's in the interest of their megacorp donors.
| tiahura wrote:
| _In the abstract, arbitrary enforcement of the law is a
| serious threat to democracy._
|
| No its not. Prosecutorial discretion is older than the US
| Constitution. No one expects the police to pull over every
| driver that is going 36 in a 35, or arrest someone speeding
| to the hospital, or arrest everyone that fails to return a
| library book, or arrest every birthday party with loud
| music after 10.
|
| The police and prosecutors have always had the power to use
| their good judgment and warn without citing or prosecuting.
| sidewndr46 wrote:
| Something being old doesn't make it a good thing. Slavery
| was pretty old, we managed to get rid of that and I don't
| think we're worse off.
|
| To your point: I'd be thrilled if police officers
| actually pulled over everyone violating each and every
| traffic law. It'd make roads much safer and easier to
| use. As it stands where I live there is no longer any
| traffic enforcement.
| wolrah wrote:
| > No one expects the police to pull over every driver
| that is going 36 in a 35
|
| Why not? If it's ever OK to pull someone over for 1 MPH
| over the limit without any other violations, then why
| isn't it always? Where do you draw the line? Why not
| codify that instead of the strict limit?
|
| If there is supposed to be discretion, then the law
| should acknowledge this by not providing a strict limit
| and requiring that the state prove a case that the driver
| was being unsafe by traveling the speed they were. If
| there is a strict limit, then it should be set such that
| one can reasonably say that it's always wrong to exceed
| it. Saying it should be strictly enforced for some and
| loosely for others just leaves room for that discretion
| to be weaponized.
|
| ---
|
| It's also worth noting that at the moment speed
| enforcement has a much greater impact on the poor than
| the rich.
|
| For the most part if you can afford to hire a lawyer
| speeding tickets can be converted in to zero point off-
| the-record offenses and are then just a fine, and since
| fines are not scaled by income in this country anyone who
| has sufficient disposable income becomes effectively
| immune to them where a person living paycheck to paycheck
| already who then likely has to take some or all of a day
| off of work to go to court might be ruined.
|
| Fix that and I could be in favor of strict enforcement as
| long as it was truly universal. I feel like if everyone
| was actually forced to obey the posted limit strictly
| we'd get some progress on killing speed trap towns and
| fixing the many places where a fast road has been built
| with an arbitrarily low speed limit that no one ever
| follows because it's insane.
| Thetawaves wrote:
| When unfair laws are enforced uniformly, the sons and
| daughters of the legislature, or even the legislature
| themselves become subject to the same laws they create.
| This applies the necessary pressure to repeal unjust
| laws. The alternative are laws that are only applied
| against 'bad people' - as determined through some
| inscrutable belief system. You should be able to imagine
| how this can be used to discriminate against entire
| classes of people.
| InitialLastName wrote:
| The difficulty that arises when people in power have the
| opportunity to use judgement to decide the courses of
| other peoples' lives is that we regularly see that
| judgement implement their (entirely human, but unjust)
| biases. Maybe they let the hot girl run a stop sign, but
| do an "exploratory stop" on the black dude because he
| "looks sketchy", escalate to a strip search because of a
| "odor of marijuana" and leave him with his car
| disassembled on the side of the road when they don't find
| anything (assuming nobody catches a beating or a bullet
| over a miscommunication).
|
| On the other hand, efforts to constrain that power have a
| tendency to encode societal biases and injustices in law
| (see mandatory minimum sentences as a prime example), so
| it's not at all clear what the right compromise is.
| tiahura wrote:
| Then fire them and get new ones. We want the system
| biased towards non-prosecution.
| robonerd wrote:
| On the other hand, airtight enforcement of all laws is a
| serious threat to liberty. Laws are imperfect and
| prosecutorial discretion is an important safety mechanism
| to prevent people in odd edge cases (which it turns out,
| are common) from getting unjustly maimed by the legal
| apparatus. Adjusting laws is also part of the process, but
| that is a slow process (another safety mechanism.)
| netizen-936824 wrote:
| Sounds to me like we need to write better laws
| nkrisc wrote:
| Yes. But the world is too complex to write perfect laws
| so we must always account for discretion. Writing better
| laws is a goal, not a solution.
| monocasa wrote:
| I agree that it's not a perfect solution (there's rarely
| such a thing in the application of law), but it's a
| better solution than a single DoJ administration's policy
| statements.
| robonerd wrote:
| Both at once works better than trusting just one. Think
| of it as Defense in Depth.
| monocasa wrote:
| I don't think anyone is suggesting anything different,
| only that a change in law would be much stronger
| effective defense and something to also strive for
| (despite also not being perfect).
| duskwuff wrote:
| We do! The CFAA was literally a reaction to the film
| _WarGames_ , written in an era where computers were rare
| and unusual, and very few people had any legitimate
| reason to access a computer network. It's long past time
| that it was updated to reflect modern reality and
| expectations.
|
| But in the meantime, it's great that the DOJ is
| explicitly denouncing some of the more ridiculous
| interpretations of the CFAA. No reasonable person would
| expect that violating a web site's Terms of Service could
| result in criminal charges, for example.
| cstejerean wrote:
| While the original CFAA goes back to 1986 it was amended
| a few times and IIRC the broad expansion happened in
| 2008.
| StillBored wrote:
| Or at least in the USA, actually seat a "jury of ones
| peers" rather than random Joes that can barely turn on a
| computer. For computer related crimes it shouldn't be
| that hard to find people working in a technology oriented
| field.
| supertrope wrote:
| A jury of one's peers means a random selection of the
| public. In England the Magna Carta codified this due
| process protection and it means that noblemen would be
| judged by other private individuals in their social class
| instead of by the King's functionaries.
| robonerd wrote:
| That's a difficult principle to generalize. Surely cops
| shouldn't get juries comprised of other cops. A lot of
| professions are known for circling the wagons and
| protecting their own (and I think tech is not the worst,
| but certainly not an exception.)
| monocasa wrote:
| The law interprets "jury of ones peers" differently than
| that. It specifically doesn't want them to be subject
| matter experts since each side will bring their own
| expert witnesses. It instead simply wants them to be
| ordinary, unattached members of the public rather than
| judges, prosecuters, politicians, or the victims
| themselves.
| nybble41 wrote:
| Right, your legal peers are members of the same social
| class (commoner, aristocracy, royalty), not people who
| work in the same field. In the US there is only one
| official social class, so everyone is your peer.
|
| There does seem to be an issue with baseline education
| standards and the ability of the jury to understand the
| evidence which they deliberate on, however. To an extent
| it's the lawyers' job to ensure that the jury understands
| their arguments, but no reasonable effort from a lawyer
| over the course of a single trial is going to make up for
| a lack of basic familiarity with the subject matter,
| which might normally take years to acquire. There is
| something to be said for systems which rely on
| professional jurors rather than random members of the
| public.
| gwright wrote:
| I once asked a friend who litigates patent infringement
| cases how a jury could possibly come to an informed
| decision on these cases. He said that it is definitely a
| challenge but that juries are pretty good at discerning
| when someone is lying or dissembling and litigators can
| build cases or defenses around that.
|
| Definitely anecdote and not data, but I found it
| interesting coming from a litigator in this area.
| nybble41 wrote:
| > ... prosecutorial discretion is an important safety
| mechanism to prevent people in odd edge cases ... from
| getting unjustly maimed by the legal apparatus.
|
| I agree, but there needs to be a mostly-automatic
| mechanism whereby repeated exercise of this discretion
| affects the law itself, so that you don't create the
| opposite problem: people getting unjustly maimed by the
| legal apparatus because a prosecutor decided to use their
| "discretion", for whatever reason, to enforce an obsolete
| law which was still on the books even though it's almost
| never enforced. (Because legislators apparently have
| better things to do than repeal old laws which aren't
| affecting hardly anyone.)
|
| A law which consistently goes unenforced should
| eventually become unenforceable, not remain
| discretionary. Consider this an application of the
| estoppel principle: If you choose not to enforce the law
| in cases A, B, and C, you shouldn't be able to later try
| to enforce it in case D without showing that there is
| some substantial difference between D and the first three
| cases.
|
| Mandatory sunset clauses would be another good idea,
| along with a requirement that the entire bill, along with
| any external documents incorporated by reference (e.g.
| building codes), must be read into the official record
| with a quorum of the legislature present before it can be
| passed or renewed.
| reaperducer wrote:
| _Mandatory sunset clauses would be another good idea_
|
| Some states have a government body that does nothing but
| review old laws and rules and agencies to see if they're
| still needed.
|
| I don't know how successful they are (for varying
| definitions of "successful,") but they do exist.
| dane-pgp wrote:
| To give an example, the UK has passed seventeen "Statute
| Law (Repeals) Acts"[0] since 1969, the most recent[1]
| being in 2013, which repealed the whole of 817 Acts of
| Parliament, and portions of more than 50 others (on the
| advice of the Law Commission[2]).
|
| [0] https://en.wikipedia.org/wiki/Statute_Law_%28Repeals%
| 29_Act
|
| [1] https://en.wikipedia.org/wiki/Statute_Law_%28Repeals%
| 29_Act_...
|
| [2] https://en.wikipedia.org/wiki/Law_Commission_%28Engla
| nd_and_...
| yebyen wrote:
| > Mandatory sunset clauses would be another good idea,
| along with a requirement that the entire bill, along with
| any external documents incorporated by reference (e.g.
| building codes), must be read into the official record
| with a quorum of the legislature present before it can be
| passed or renewed.
|
| This is one of the most sensible things I've heard
| proposed that will never work. (I'm saying that, if laws
| are so complicated that no human can learn them well
| enough to keep themselves in compliance without
| assistance of a compliance department, or so complicated
| that even the people who are directly responsible for
| them cannot be bothered with being made aware of the
| details and double checking that they still make sense on
| a somewhat regular basis... then they are too
| complicated.)
|
| I think it will never work because complex things are
| complex for a reason on the balance, and because we're
| already "too deep to dig ourselves out of this hole." But
| in principle I agree wholeheartedly with this idea.
| salawat wrote:
| Translation:
|
| I want it to be easy add new ways to strip another person
| of their rights without being burdened by having to
| understand the system as a whole.
|
| -A complaint from every developer and legislator ever.
| yebyen wrote:
| Where do you get that anyone wants to strip anyone's
| rights away from within this conversation?
|
| We're talking about laws, which generally bind
| individuals to certain behaviors. Laws do not make rights
| as far as I'm aware (and IANAL), they are "God-given." At
| least in US legal tradition, as I understand, the default
| position of the law is that you are allowed to do
| anything which does not infringe on anyone else's
| enumerated rights, and laws can only bind you from doing
| things which you would otherwise be free to do in the
| absence of those laws.
|
| If the laws which bind our behaviors are so complex they
| cannot be read aloud in their totality in any practical
| time period then how is anyone (let alone anyone whose
| profession is not "the law" or acting in legislature)
| ever to be expected to understand them _as a whole_?
| (Especially when certain laws have traditionally gone
| unenforced, to borrow from the original context of this
| thread.)
|
| The law should be possible to understand. That is a
| decent aspirational goal. I'm not sure what you think I
| meant but it's not what you said.
| dataflow wrote:
| https://en.wikipedia.org/wiki/Desuetude
| RajT88 wrote:
| > people in odd edge cases (which it turns out, are
| common)
|
| Common in this case because the CFAA is often used not as
| an enforcement tool, but as a way of silencing critics,
| stifling scrutiny or just in general saving face.
| vkou wrote:
| 1. There isn't a single country in the world that does not
| use policy as the cornerstone of day-to-day governance,
| procedure, and enforcement.
|
| 2. There can be arbitrary changes to law too, with a change
| in power.
|
| You have numerous forms of redress when you feel that policy
| is incompatible with law. You can ask the agency in question.
| You can ask a legislator to pressure the agency. You can ask
| a legislator to write an explicit law. You can take the
| agency to court. You can elect an executive that can lay down
| policy requirements on their subservient agencies.
|
| There's a very unfortunate political meme in this country,
| that frequently repeats the lie that policy (executive or
| otherwise) is not the product of elected government. Like any
| magical spell, if repeated loudly, and frequently enough, I
| suppose its disciples might will it into being.
|
| When you don't like how the state's prosecutor's office
| works, in this country, you can elect a new head prosecutor,
| who will make changes in their department. When you don't
| like how the federal prosecutor's office works, in this
| country, you can elect a new executive. All of these agencies
| under thus, under direct democratic control.
| ahtihn wrote:
| > 2. There can be arbitrary changes to law too, with a
| change in power.
|
| Arbitrary changes to law aren't retroactive in general. If
| you did something in the past that has later become
| illegal, you can't be prosecuted. The same doesn't apply
| for policy changes.
| vkou wrote:
| There is no prohibition on the legislature passing civil
| ex-post-facto laws, only criminal.
|
| Agencies can only enforce ex-post-facto policy changes if
| congress explicitly authorized them to.
|
| ... Also, as Matt Levine points out, executive agencies
| are prohibited by law from making capricious and
| arbitrary policy changes. Congress is not bound by any
| such restrictions - it can pass legislature that is as
| capricious and arbitrary, and as completely devoid of
| public input as it likes.
| bandyaboot wrote:
| Agreed. People who care about this stuff should absolutely
| keep this in mind when they're voting for who should be in
| power.
| pvarangot wrote:
| This was a constant PITA while I was on an H1B and while not
| changing the laws, they kept on changing exactly how they
| interpreted everything.
|
| My lawyers told me also to not use government benefits while
| on a Green Card, because even though it's probably ok and
| won't harm my chances at citizenship they may change how they
| interpret it later down the road and even though I was in the
| clear when I got the benefits it might as well become a
| showstopper later on.
| legalcorrection wrote:
| [deleted]
| cmeacham98 wrote:
| Citation?
| VLM wrote:
| It presents strongly in the courtroom for the defense.
|
| Even the worst case scenario of it being revoked in the
| future, "The jury needs to know the government cannot make up
| its mind if the defendant committed a crime, or more likely,
| did not commit a crime."
|
| "Preponderance of the Evidence" is simply going to be tougher
| when this is handed to the defense.
| ConcernedCoder wrote:
| "paying bills at work" -- yikes!
| Jiro wrote:
| This is good and bad at the same time. It's like having a law
| that says that the police can shoot anyone at will, and then
| announcing that since people were concerned that the police would
| shoot someone going to the grocery store, all police are ordered
| to not do that.
|
| It's better than shooting people for going to the grocery store,
| but the real problem is the law.
|
| What's actually happened is that the government interprets the
| CFAA so broadly that it's easily abused, people have been
| pointing this out in court, and the government response is to
| keep the broad interpretation but announce they won't enforce
| those specific abusive examples. What they _should_ do is admit
| that their interpretation is too broad; this is smoke and mirrors
| to avoid doing so.
| BarryMilo wrote:
| One more step toward in an authoritarian direction. Vague laws
| with arbitrary interpretations are bad for democracy.
| dragonwriter wrote:
| The US government isn't unitary. The executive branch controls
| enforcement policy, the judicial branch controls
| interpretation, and those can disagree. Your "they" refers to
| separate institutions that do not have control over each other.
| lostdog wrote:
| He's implicitly saying that the legislative branch is failing
| here, so yeah, it's bad overall. Plus the executive branch
| does have significant control over legislation, and it's also
| bad that they're not trying to fix the law.
|
| Overall, this individual move by the justice department is
| good, but it's bad that more isn't being done.
| lcnPylGDnU4H9OF wrote:
| > What they _should_ do is admit that their interpretation is
| too broad; this is smoke and mirrors to avoid doing so.
|
| It seems to me that these guidelines are their admission that
| previous interpretations had been too broad. I'm curious what
| you would otherwise expect to see (like, actually just curious;
| hopefully that doesn't sound confrontational).
| infogulch wrote:
| I would expect that a law that _can_ be interpreted too
| broadly should have its text changed so that such broad
| interpretations are impossible.
| thfuran wrote:
| Our legislative branch is completely ineffectual though.
| rektide wrote:
| Feels weird that a law can apply to too much & be damaging to
| society to such a degree that the judicial arm of government just
| agrees it'd be awful to enforce the law & declares that they dont
| intend to.
| fnordpiglet wrote:
| Note this is the executive branch not the judicial. Sadly laws
| are so hard to legislate now this is how fixes are often being
| done - piece meal, weakly, and subject to random changes by
| political whim.
| YesThatTom2 wrote:
| That's how law works.
| mattnewton wrote:
| Checks and balances. It's not great but it is a way around the
| current legislature which has become increasingly paralyzed by
| partisanship.
| dragonwriter wrote:
| The US Department of Justice is not the judicial arm of
| government, but the executive.
| pitaj wrote:
| It's one of the many checks and balances we have available.
| duxup wrote:
| SCOTUS already shrunk the scope of some laws (I think it was
| the CFAA) where they disagreed that simply violating a local
| policy about computer usage === CFAA.
|
| I think this is a slow but natural process to narrowing it
| down.
| [deleted]
| DannyBee wrote:
| It is often not possible or desirable to have laws that are so
| complete and exhaustive that they require 0 interpretation.
| Laws, like most thing, are designed to try to balance
| flexibility and clarity where necessary. Otherwise, they are
| mostly worthless, or become worthless very quickly. (and no,
| you can't just make them super explicit and constantly update
| them, it's completely intractable)
|
| As a result, pieces of government offering guidance/manuals for
| their enforcement is very common.
|
| This is true both criminally and civilly.
|
| For example, the USPTO maintains the "manual of patent
| examining procedure" that somewhat exhaustively interprets
| patent law.
| 1vuio0pswjnm7 wrote:
| "Embellishing an online dating profile contrary to the terms of
| service of the dating website; creating fictional accounts on
| hiring, housing, or rental websites; using a pseudonym on a
| social networking site that prohibits them; checking sports
| scores at work; paying bills at work; or violating an access
| restriction contained in a term of service are not themselves
| sufficient to warrant federal criminal charges."
| shockeychap wrote:
| > The policy for the first time directs that good-faith security
| research should not be charged.
|
| > Accordingly, the policy clarifies that hypothetical CFAA
| violations that have concerned some courts and commentators are
| not to be charged. Embellishing an online dating profile contrary
| to the terms of service of the dating website; creating fictional
| accounts on hiring, housing, or rental websites; using a
| pseudonym on a social networking site that prohibits them;
| checking sports scores at work; paying bills at work; or
| violating an access restriction contained in a term of service
| are not themselves sufficient to warrant federal criminal
| charges.
|
| > However, the new policy acknowledges that claiming to be
| conducting security research is not a free pass for those acting
| in bad faith. For example, discovering vulnerabilities in devices
| in order to extort their owners, even if claimed as "research,"
| is not in good faith.
|
| What exactly does this policy change even mean? Who was being
| charged with a federal crime for checking a sports score or
| paying a bill at work? And since the claim to be conducting
| security research is not a "free pass" for unauthorized research,
| I'd really like to know who exactly was being charged under the
| old policy that is protected by the new?
|
| This "change" just seems like a bunch of pointless grandstanding.
| duxup wrote:
| Sometimes grandstanding makes sense.
|
| "We're not going to charge people for security research", might
| reduce the chilling effects of some company threatening some
| rando researcher.
| shockeychap wrote:
| How, exactly, when you qualify it with, "However, the new
| policy acknowledges that claiming to be conducting security
| research is not a free pass for those acting in bad faith.
| For example, discovering vulnerabilities in devices in order
| to extort their owners, even if claimed as "research," is not
| in good faith."?
|
| Seems the rando researcher is subject to the same liabilities
| as before.
| duxup wrote:
| I think that line is just there to state the obvious that
| you can't say "security researcher" and get off free...
| your actions determine if you are acting as a researcher,
| not just a claim.
|
| I don't find that the least bit weird.
| shockeychap wrote:
| "discovering vulnerabilities in devices in order to
| extort their owners, even if claimed as "research," is
| not in good faith."
|
| If I had just discovered a vulnerability, and didn't have
| a written contract authorizing me to do the research, I
| wouldn't feel the least bit of additional protection from
| this policy change, and would probably refrain from
| extorting the owner.
|
| Edit: I had read "extorting" as "extolling" and
| associated with notification, not extortion. (I even
| typed "extorting" in this response.) I stand corrected,
| as extortion changes the tone of the qualification.
| duskwuff wrote:
| You should probably refrain from extorting anyone,
| regardless of the circumstances. :)
| ok123456 wrote:
| Is full disclosure good faith?
| tptacek wrote:
| Yes, by the plain language of the policy linked at the bottom
| of the press release. You only get in trouble if you tease a
| vulnerability and tell the target "I'm going to disclose
| publicly if you don't pay me".
| bastardoperator wrote:
| Who determines "good faith"? This reminds me of when police say:
|
| "If you have something illegal on you, tell me now, because I
| won't be able to help you later"
|
| Police had no intention of "helping" anyone, this is a lie that
| makes life easier for police and prosecutors when it comes to
| charging an individual.
|
| Would I be acting in good faith if I expect a monetary outcome
| for my research?
| bragr wrote:
| Either way, don't talk to the police. You can't talk your way
| out of charges, only talk your way into more charges.
|
| >Who determines "good faith"?
|
| If there's a real dispute about this and you've been charged,
| ultimately it is up to the jury to decide.
| l33t2328 wrote:
| This is a bad interpretation of good advice. Yes, once you're
| booked and in the interrogation room, shut up and lawyer up.
| But on the street...
|
| You can absolutely talk your way out of things, and you can
| "assert your rights" into charges.
|
| If you refuse to do anything more than legally obligated at a
| traffic stop, you could easily get a ticket instead of a
| warning.
| shadowgovt wrote:
| > who determines "good faith?"
|
| In this context, it's the DOJ chain of command. This sort of
| memorandum isn't something that will impact a person's day in
| court directly should they be prosecuted; it indicates to
| prosecutors what the Executive branch would consider a
| "career-limiting move" to waste public resources prosecuting.
|
| Compare with the Obama-era guidance about federal drug law
| enforcement in states that had decriminalized marijuana.
| Technically, marijuana never stopped being a (federal)
| controlled substance, and _every_ state grow operation and
| distribution center is in violation of federal law. Obama
| made clear that enforcing that law in those states would be a
| great way to send a strong signal to one 's boss "I'm
| comfortable at my current level of achievement and feel no
| need to ever be promoted in the future," and that policy
| basically hasn't changed in the intervening two
| administrations. But the federal law is unchanged on the
| matter.
| tptacek wrote:
| "Good faith" is carefully defined in the policy linked at the
| bottom of the press release you're commenting on.
| mewse-hn wrote:
| I went down a small rabbit hole after reading this, curious if it
| would have saved Aaron Swartz's life.
|
| It seems the lynchpin of the prosecution of Aaron Swartz was that
| the CFAA criminalizes the breaking of a Terms of Service
| agreement (ie. it is a felony to break a terms of service).
|
| They've attempted to address this with "Aaron's law" but it is
| stalled in committee - people have blamed Oracle for lobbying it
| to be blocked.
|
| So.. this is a nice move from the DoJ, but not enough. Patching
| up a bad law with a policy to protect good faith security
| researchers is good, but it's still a bad law.
| oversocialized wrote:
| tptacek wrote:
| Swartz wasn't doing security research, and was charged with
| wire fraud, not just unauthorized use under CFAA. This wouldn't
| have helped him.
|
| He'd also likely have been undone by the provisos attached to
| "exceeding unauthorized access"; the red line the new policy
| draws is that once DOJ can demonstrate that someone _knowingly_
| exceeded their access, they 're fair game, even if the
| conditions they violated were spelled out only in a contract or
| terms of use.
| chrisfinazzo wrote:
| IANAL, but I question whether the wire fraud charge would
| hold up. The layman's definition doesn't seem to apply.
|
| Of course, my memory my be failing me as to details that
| would make it relevant in his case.
|
| https://en.wikipedia.org/wiki/Mail_and_wire_fraud#Wire_fraud
| tptacek wrote:
| The layman's definition doesn't matter in the least. What
| matters are the jury instructions, which you can look up.
| The court system does not in fact leave it up to whatever
| definitions of a crime happen to be bouncing around in the
| jury's heads; the conditions required to find someone
| guilty of a crime tend to be spelled out in great detail.
| chrisfinazzo wrote:
| Jury instructions which are sure to include a version of
| "the wire fraud statute is defined as x, for those of you
| who are not attorneys, think of this as {{ Insert
| layman's definition here }}."
|
| Rephrasing would help the jury understand how to evaluate
| Aaron's actions and determine whether or not they meet
| the standard.
|
| I may be missing something about what transpired that
| causes me to think that it does not apply, but you can be
| sure that the jury will have heard evidence from the
| prosecution which lays out why they believe it is
| relevant in this particular case.
| Uehreka wrote:
| Here are some Model Jury Instructions for Wire Fraud
| charges from the 9th circuit:
| https://www.ce9.uscourts.gov/jury-instructions/node/583
|
| They're not what I would call a "layman's definition".
| When you're on a trial like this, you'll probably get a
| printed out version of these instructions to read over
| and over while deliberating. And the lawyers on each side
| will try to contextualize their arguments against this
| exact language (as long as the judge doesn't think
| they're being misleading or breaking other rules).
|
| You may not come into the trial as an expert on wire
| fraud, but the court will give you the background info
| you need, and you're expected to make a judgement based
| on the law.
| tptacek wrote:
| No, that's not how jury instructions work. Just go look
| them up! They're incredibly useful for message board
| discussions about specific crimes.
| gnfargbl wrote:
| > even if the conditions they violated were spelled out only
| in a contract or terms of use.
|
| Is that correct? In https://www.justice.gov/opa/press-
| release/file/1507126/downl..., I see:
|
| > that division is established in a computational sense, that
| is, through computer code or configuration, rather than
| through contracts, terms of service agreements, or employee
| policies
|
| and later
|
| > A CFAA prosecution may not be brought on the theory that a
| defendant exceeds authorized access solely by violating an
| access restriction contained in a contractual agreement or
| term of service with an Internet service provider or web
| service available to the general public
|
| and
|
| > the Department will not take the position that a mere
| contractual violation caused the user's previous
| authorization to be automatically withdrawn
|
| However, any previous authorization _is_ withdrawn if you
| receive something that you should understand as a C &D.
|
| It seems to me that this new policy says that to reach the
| threshold for CFAA prosecution you must now do more than
| "just" violate the terms of service. Am I misreading?
| ARandomerDude wrote:
| > curious if it would have
|
| Hypotheticals like this are difficult to answer seriously.
| Still, if I had to guess, I suspect he would have been
| prosecuted nonetheless because he wasn't a good faith security
| researcher.
| shadowgovt wrote:
| Better mental healthcare might have saved Swartz's life, not
| different laws.
| jedberg wrote:
| One the one hand, you're absolutely right. Anyone who kills
| themselves clearly had some sort of mental health issue. But
| on the other hand, he grew up in a wealthy family and briefly
| attended Stanford -- he had access to some of the best health
| care in the world already.
|
| So I'm not sure better mental healthcare would have helped.
| Probably more along the lines of destigmatizing mental
| healthcare might have helped, which is a much harder problem
| to solve, but also something that thankfully Millennials/Gen
| Z are doing on their own. It's no longer taboo to mention
| that you're in therapy.
| mc4ndr3 wrote:
| Require publicly funded research to publish results publicly,
| instead of hiding it in paid gardens.
| tzs wrote:
| It wouldn't have made a difference. People tend to forget just
| how much effort Swartz put into repeatedly evading MIT's
| attempts to kick him off their network. That's not the kind of
| situation this policy change is trying to address.
|
| Heck, from the description of "Aaron's law" on Senator Wyden's
| site I'm not sure that would have made a difference either. It
| probably would have at most reduced some of the redundant
| charging, but since the redundant charging doesn't actually add
| to the sentence if convicted it would not really have affected
| the ultimate outcome much.
|
| There's a good summary of the long cat and mouse game to try to
| kick him off the network, and an analysis of the various
| charges against him and how likely they were to stick here [1].
|
| [1] https://volokh.com/2013/01/14/aaron-swartz-charges/
| givemeethekeys wrote:
| I don't trust this. How many administrations and ruined lives did
| it take? Why did it take so long?
| tptacek wrote:
| I don't know. How many lives did it ruin? How many people in
| the US have been charged under CFAA for doing security
| research?
| mindcrime wrote:
| Not only that, but as merely a change in policy, as opposed to
| a change in the actual law, it's more or less alterable on a
| whim. A new administration, or even _this_ administration could
| reverse this at the drop of a hat. So it 's not exactly
| something to rely on to any tremendous degree.
| glitcher wrote:
| Exactly, and this point is even illustrated in the final
| words of the last sentence of the announcement:
|
| "The new policy replaces an earlier policy that was issued in
| 2014, and takes effect immediately."
| kingcharles wrote:
| Good luck on this. Might not stop you getting arrested and put
| into pretrial detention for years until you find the right
| prosecutor to dismiss the charges.
|
| A policy isn't a change in the law. The statute needs to be
| changed to add an exemption for security research. Until that
| happens I'd be careful.
| pluram4815 wrote:
___________________________________________________________________
(page generated 2022-05-19 23:00 UTC)