I'm really sick of these sensational posts/comments showing up on HN. I know, I'm not supposed to complain about quality of posts or comments but the past week has really changed my view on the current state of HN. Witch hunts, sensational stories, jumping to conclusions, hating the law/government, etc. Let's go back to technical news.
The OP is alarmed at the use of common privacy enhancing techniques (of which wearing a ski mask is one) which allows a prosecutor to 'enhance' the charges against someone to increase the threat level. They are also alarmed that non-technical people cannot see that changing your MAC address is just "easy" for a technical person to do as holding one hand over the other as you type in your PIN at the grocery store, and equally innocuous. Nobody disputes that 'changing your MAC address' should not be considered as evidence of intent when prosecuting a crime, but there is a lot of dispute as to whether that action in and of itself rises to the level a crime in its own right. This is what the OP fears will happen, and there is some evidence to support that.
That takes us to your second paragraph which talks about how painful it is for you when others express their emotions with respect to the events of the past weekend (and to be clear other events like it). Generally, yes, HN is a community of technologists and technology enthusiasts who discuss the merits or lack thereof of various technology trends, events, and personalities. That said, it is also a community of people. People can often discuss dispassionately about topics that are at arms length, but the weekend case struck close to home for noticeable fraction of the hundreds of thousands of people who visit this community. They need time to process these events, and one way they process them is that they talk about them.
My point is that it helps to appreciate that others may be more affected by recent events than you were and this is their way of processing their emotions. No need to whine about it, you can take a break from HN for a week or so until it winds down. When things are continued beyond their reasonable lifetime they tend to get moderated down. Patience.
The only clear concise analysis I have seen in the myriad of submissions was an analysis by Prof Orin Kerr, which was full of comments containing more hyperbole, that disappeared to no where instantly.
Speaks volumes IMO, and it's really deterring to some of us who prefer learning and discussing the facts in a more well thought concise, clear, and logical manner.
Yet the whole of HN was full of nothing but Aaron Swartz articles for days. I stopped visiting HN for a bit. It was frustrating to me as I have no connection to Aaron Swartz (beyond using RSS and Reddit), although I realised it affected some people very seriously and needed to use HN as an outlet.
Having said that personally I felt that HN was the wrong place for an overrun of Aaron Swartz tributes and articles. My inner cynic sadly feels that quite a few of the posts over the weekend (especially some from some of his blog posts) were attempts at little more than karma scoring.
By analogy, there's nothing illegal about entering a building through the window. But if you try the door of a random and find it locked and then enter through the window that's still trespass. But if you make a habit of always entering buildings through open windows when they're available so you never try the door you might be able to argue that you didn't know the building wasn't public. At least, you could try to argue it to a jury and depending on the circumstances I guess it might work.
There is a chasm between what "normal"/non-tech people might consider proof of mens rea (and probably explains some of the history of the laws) and what technical people would consider proof. Technical people do stuff like MAC spoofing all the time, as in the article.
I run Tor because I can always reach my SSH server as a hidden service, even through firewalls. I strip my HTTP headers with an HTTP proxy because I don't like having to constantly configure all my browsers to throw out adnet cookies. I set curl and wget to spoof a more common user agent, because some things simply don't work otherwise. This sort of remedial stuff literally scares non-tech people, and having to constantly explain and justify such network magic to anyone who doesn't know how technology and networks work just to make them feel better is tantamount to bending over for a TSA screening because you're brown (OK, not quite that bad). It's increasingly demoralizing, and doesn't feel like freedom in a supposedly free country (Canada). I have nothing to hide; I'm still not willing to bend over like that. No one should. It's the new McCarthyism. Lawmakers and non-techs are afraid of us, and so we're treated differently, and it's becoming scarier (just because SOPA was stopped in one country doesn't mean there won't be more). I don't want to work to help people who fear my knowledge rather than celebrate it and, while I hardly think "web apps" represent anything like the future of the Internet, I'm a little afraid to work on much else if I intended to release it. (The person who made bitcoin didn't want his identity on it.) We're already paying the price.
Changing MAC addresses (upon every restart) is something I do too. It is an extremely easy thing to do. That such an obvious thing will effortlessly add to a list of charges, amplifying the prosecutor's case for no good reason, is what the issue is.
The most frustrating thing about your comment is your condescending attitude. It's exactly this kind of behavior that is sliding us down a path of draconian laws that will in the end harm us all. Please think before going off like this.
In the law as it exists, doing something "anonymously" for the purpose of committing a crime is itself a crime. It's not the act of changing the MAC address that is illegal by itself. That was the point.
Your point, I think, is that that "extra" crime is a silly law. Which I think many of us agree with. But it's still the law, and it's not unreasonable for a prosecutor to enforce it. In fact, they have a duty to do so.
Turning around and claiming that "the gubmint wants to lock up MAC randomizers!", however, is just dumb. That's not what the law in this case says at all.
Also the prosecutor is typically going to overstate the charges and the defendant will understate them. In this case the prosecutor went for 35 years and the defendant went for zero years (not guilty). This is where the judge comes into play. If Aaron shows that he changes his MAC address every morning then that charge will likely be dropped. If it's found that he only changed his MAC to bypass a restriction, it could be seen as concealing.
Besides, arguing against a comment for it's attitude isn't an argument at all. The original comment was essentially a (valid) "so what?" to the article; it wasn't a refutation of fact, but expressing a frustration at the non sequitur implied by this, and allegedly, many other articles on HN.
While hating on the system can be done in stupid ways, ignoring these sorts of things doesn't make them less real.
Besides that, this sort of thing fits the criteria for submissions on HN. I'd even go so far as to say that this is more appropriate than the latest news about incremental changes in X.
I don't get how not posting this stuff to HN equates to ignoring it. I have a life outside of HN, and so can all kinds of extremely important issues!
Seconded, and I'm also tired of the dogmatic and uninformed approach to legal issues. Just because law employs logic does not mean that being a programmer gives a superior understanding of law. The same misconceptions crop up over and over again and badly lower the signal:noise ratio.
Honest question: why is that? Why is it not enough to charge someone for the actual crime they committed? Why does someone need to be charged for committing it a specific way?
That's because State Power is not, contra popular imagination, based on a monopoly of violence, which only exists nowadays thanks to the triumph of its real source. It's based on legibility: by abstracting the world and identifying and naming its subsystems, the State creates its own power. Naming and identifying people is a natural part of that: indeed, adding last names to a first name to create a (ostensibly) unique global identifier was one of the first projects of the modern State. One hundred faceless people you have to monitor at the moment is far more dangerous than a thousand identified people you can attack after the fact.
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. There is no story here. Ugg...
But again, I am not a lawyer.
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.
The CFAA criminalizes "unauthorized access" and "exceeding authorized access."
The unauthorized access provision applies to various means of hacking into a computer. The exceeding authorized access provision applies (in general) to company and government insiders. "The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6)[3]
Your contract with your ISP gives you access to the network. By spoofing a device, you would breach your agreement with the ISP, but you would not be obtaining or altering information that you are not already entitled to under your agreement with the ISP as an authorized user.
In sum, for an authorized user to commit a crime, he must break through the access level he was granted by his authorization and reach information that was effectively closed-off to him.
1. http://en.wikipedia.org/wiki/Lori_Drew#Guilty_verdict_set_as...
2. http://itlaw.wikia.com/wiki/EF_Cultural_Travel_v._Explorica (One of the most inane cases I've ever read.)
Setting up four different laptops all with the same MAC, so that either you or your three neighbors could share the connection, is probably closer to the kind of thing that would land you in jail.
That's why the law leaves it couched in terms unlikely to change (like "authorized access", "intentionally" doing something, etc.) and leave the charges to be considered in light of the totality of what went on.
Would a jury convict on typing in one URL, realizing it gave access to an admin panel and just leaving the site immediately? Hopefully not...
Would a jury convict on building a screen-scraper that steals the password for users by incrementing ID's on a URL that wasn't public but wasn't properly secured? I would think so. Sometimes the circumstances of the case matter more than the law itself.
They're not difficult to interpret.
You just don't like them.
Be intellectually honest.
The laws don't recognize "information wants to be freeee" or any such pablum.
http://www.digitaltrends.com/mobile/att-ipad-hacker-auernhei...
The closest thing that comes to mind is the 2006 incident in which a researcher from the candidate opposing Governor Schwarzenegger logged onto the governor's public FTP site and stepped-up a directory to find a bunch of private audio recordings:
http://articles.latimes.com/2006/sep/13/local/me-audio13
A five month investigation by the CHP found that no illegal action had been done: http://www.mercurynews.com/ci_5145796
Of course, this involved a political campaign with millions of dollars (and publicity) behind it. The CHP arresting Arnold's opponent would not turn out well for anyone...if this had been a teenager who tried it, who knows?
Probably a line with small damages if it's just your home router.
I don't really know how to explain how I feel about it, but that's my understanding.
Maybe they could make it illegal if they got a restraining order, but AFAIK MIT did not do that.
What you're getting at is the scope of implied license and how it can be revoked. Here is a pretty good, non-legal take on it: http://news.domain.com.au/domain/real-estate-news/how-privat...
Basically, the implied license has a scope defined by the rationale for the implication. If you invite a plumber to fix your toilet, they don't have license to use your jacuzzi (though a dinner guest might!) A license can be revoked in any manner that reasonably conveys the revocation to the licensee.
The law of property isn't directly applicable to computer networks, but is a source of guiding principles and analogy. If you're on an open network and the administrator bans your MAC address, I think a normal person would conclude that the message that you are no longer welcome has been reasonably conveyed. Moreover, MIT Net does have terms of use, and one of those terms (#4 of 6) is: "Don't misuse the intellectual property of others." You can also argue that these terms of use define the scope of the implied license to use MIT's open network.
I would say it's safe to assume that if your MAC address gets banned, it was for a reason. It means you're not welcome on the network anymore.
He knew that MIT was trying to stop him from being on their network, and he continued to evade their countermeasures and get back on the network.
How do I know this? Because I know Aaron was not an idiot.
"Intentionally accessing a computer without authorization to obtain: ....Information from any protected computer."
What does 'without authorization' mean, and what does 'protected' mean?
Does without authorization mean you violate a click-through license? Or is there some nebulous authentication chit you are handed? Is it a felony to fake your name on a website demanding your name?
And with that keyword 'protected', how do we know it is indeed protected? What steps one must take to protect, and what steps one must go through to understand that it is indeed protected computer/data?
In other words, we are all felons-on-standby. The laws are so vague as to entrap all by default.
Protected computer is actually defined in the statute (subsection (e)(2)): http://www.law.cornell.edu/uscode/text/18/1030
The problem, of course, is that in the original law it actually said "federal interest computer" instead and was targeted primarily at computers used by financial institutions and the U.S. Government (which you still see in subsection (A)), but has since been amended to include computers "used in or affecting interstate or foreign commerce or communication" which is a term of art that means anything within the power of Congress to regulate under the interstate commerce clause, which I'm led to understand means pretty much everything now. So that's even worse then: Sorry you thought it was vague and might have been able to argue your way out of it, I hope you enjoy your cell.
I really am astonished at how bad this law is. "Without authorization" is undefined and so overly broad that it seems to capture just about anything and then the penalties are preposterous even for the smallest of violations. We really need to fix this.
If so, facebook has made us all felons. We won't get access to facebook if we didn't give up our names, so it's wirefraud.
It would be a breach of contract if the website specified your "legal name" and that is defined in your jurisdiction. If you then used that access to acquire goods/services/property that you wouldn't otherwise get possession of then that would be acquiring by deception and most likely be breach of IP laws.
As for the wire fraud implications (which are separate from the CFAA), if you cause a false statement to be transmitted for the purpose of obtaining money or property, you have committed wire fraud and face a potential 20 year sentence. Spoofing MAC addresses to exceed access limits, for example, would qualify. You are causing your device to mask its true identity for the purpose of obtaining "property" that you wouldn't otherwise have access to.
Excellent insight.
It was frustrating that in high school, whenever any computer shenanigans went down, I would always be the one who was automatically called to the principal's office. And some of those times, I wasn't even the one responsible. ;)
If my telephone at home suddenly and inexplicably stopped working and I walked up the pay phone down the street to get another phone number, am I running the risk of legal consequences because my own phone number may have been cut off on purpose?
If he was explicitly told why his MAC addresses were being blocked, you may have a point. However, if he was explicitly talked to about what was going on, how was it able to escalate to the level it did?
Sometimes the very acts that you do when trying to conceal your identity can be used to reveal it.
