undefined | Better HN

0 pointstptacek9y ago0 comments

What would negligence liability for site owners have to do with criminal liability for hackers? When someone breaks into a warehouse left negligently insecure by its operators, the warehouse customers might sue the operators. But that suit will have no bearing whatsoever on the criminal prosecution for the person who actually broke into the warehouse.

Breaking into warehouses is a crime because no matter how bad a job the owner of a warehouse does at locking their warehouse up, we don't want random people breaking into other people's property. Why would the logic for Internet sites be any different?

Also, as I'm fond of pointing out: you can coherently and reasonably lobby for liability for site owners who fail to keep out hackers. But I don't think most HN readers are going to like where that leaves the industry. Hint: Facebook and Microsoft aren't going to have any real problems surviving. But indie developers? Different story.

0 comments

3 comments · 1 top-level

mindslight9y ago· 2 in thread

I believe you've previously argued that one problem with current computer crime sentencing is that that difference between a misdemeanor and a felony is the number of iterations of a loop. My add-on to that if it is so easy to increase the scope, then perhaps such activities shouldn't even be bona fide criminal! Hence my allusions to "wildlife" and "Internet background radiation" - phenomena that can't really be ascribed to an individual's intent but will still mess stuff up.

Regarding intent - we don't need sledgehammer-crime laws to cover intentional destruction of a computer system using a sledgehammer. So why do we need network-crime laws to cover intentional destruction of a computer system using network communication? It seems like in either of these cases, one should be prosecuted for intentionally destroying a computer system regardless of the chosen technique.

I think this is where the culture divide originates. Because for many instances of cracking, curiosity is the sole motivation. While things can be damaged in the process (and thus one would be civilly liable), there isn't justification for criminal charge of malicious destruction. Of course, the curious cracker is still trespassing - but contrast current sentences with the general severity of meatspace trespass.

Now, this specific case does seem to have more serious intent than simple curiosity. And it's hard to find a guiding analogy, since analogous situations range from publishing the contents of a journal shoulder-surfed at a coffee shop (ie "tough shit!") to publishing the contents of intercepted postal mail (another area where technical abstractions have been warped into creating extreme penalties).

Perhaps if publishing someone's "protected" (in Java parlance - not public, not strictly private) information makes us feel that some wrong has been committed, then that itself needs to be the crime. Switching the paradigm to one directly based on activity (rather than access) could certainly help to curtail commercial surveillance bureaus who currently trade in this kind of information with impunity.

AFAIK, "Indie developers" aren't creating life-critical devices and should be disclaiming any use of their tools for such (eg "NO WARRANTY"). Every IC datasheet doesn't contain an explicit disclaimer regarding such just for kicks.

And if a shop is, for instance, creating and integrating life-critical Internet-connected medical devices based on Linux/C !? They should be scared away from that activity.

tptacekOP9y ago

I generally don't think that people who hack for curiosity should receive custodial sentences on their first conviction.

But Guccifer isn't that. He wasn't curious about how things worked. He was curious about the contents of Jeffrey Tambor's mail spool. That's a malignant kind of curiosity, and I feel no compulsion to mitigate its criminality. We should be using criminal law to keep creepy people from invading other people's privacy. (Yes: that includes anyone who might be doing that improperly under color of law).

All that aside, most criminal sentences are far too long. Guccifer's is not at the top of my list of crimes that should have their sentences ratcheted down, but it's not entirely off the list either.

Be careful about the goal-posts here, please. Guccifer didn't hack life-critical systems. Any cat-sharing startup can create the same kinds of risks to Jeffrey Tambor that Guccifer's targets did.

mindslight9y ago

The reason to have a problem with his conviction is that it was done under an overly broad law that can be used to convict many people, but is selectively applied. This is not the rule of law.

The actual creepy activity (and subsequent publishing) aren't the things that he was convicted for. Perhaps they should be, and perhaps being so would have even encouraged Guccifer to stay on the right side of the publishing law.

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels." - Mencken

FWIW, a cat-sharing startup (or webmail provider) seems in a prime position to continue disclaiming any security warranty. In fact, I'd be surprised if they did not. If users are actually interested in a security warranty, then they should seek alternate providers that are willing to advertise such, have obtained some sort of insurance, and have prespecified some amount of liquidated damages.

I too can see the general concept of liability being perverted by the government into something mandatory for any software developer. But I've advocated nothing of the sort, only application of the standard fitness warranty on real-world integrations. I haven't moved the goalposts - medical equipment is just one area where it's very clear such liability can't be disclaimed.

j / k navigate · click thread line to collapse