Attaching serious criminal charges to the act of feeding an automated system input that the automated system does nothing to verify is crazy (that is, it isn't wire fraud to use a variety of email addresses on a system that does nothing other than note the address that was input).
The indictment uses language like "Although a MAC address is intended to be a permanent and globally unique identification". And yet nobody serious about security has any expectation that a MAC address is permanent or globally unique (it is well understood that they aren't particularly useful for authentication).
If the government wants to attach serious charges to accessing computer systems, there should at least be some sort of notification that the provider of the system considers the system to be protected under federal law, not this running backwards to say that accepting an email address or having the capability to block a MAC address somehow makes a network 'protected'.
To be perfectly clear, I'd be entirely fine with a broadly applicable lesser charge that applied more generally to computer tampering, for cases where the prosecutor wanted to argue that a user exceeded intended access and such.
> The expert witness that was working with the defense states that JSTOR did not require passwords from computers on MITs network
The problem with this logic is that it assumes the content hoster has the responsibility to actively keep attackers away. Sure, it's a great idea, but is it really their duty to stop from being victimized?
If a bank left their assets in the middle of the lobby they'd be stupid, but it would still be theft on the part of the robber when it inevitably gets stolen.
A better analogy might be that having stolen some magazines from a bookstore (a surprisingly large number of magazines...), the thief was charged with breaking and entering and safe cracking, rather than shoplifting.
And people that attach computers to the public internet absolutely do need to be treated as responsible for the information that those computers transmit. If they want to claim that they intend to limit access to the information, they need to take meaningful steps to actually put limits in place.
I don't mean to say that there should be no recourse in situations where intended access is exceeded, I mean that the bar for a 30 year felony needs to be a little higher than "we didn't intend for our system to be accessed in that manner".
> And people that attach computers to the public internet absolutely do need to be treated as responsible for the information that those computers transmit. If they want to claim that they intend to limit access to the information, they need to take meaningful steps to actually put limits in place.
That goes entirely against the principles on which activists claim the Web is based on. Instead of a democratic network where anyone with an IP address can fire up an httpd and be (in theory) just as equal as any other DNS entry, you're saying there needs to be technical measures put in place to enforce an "honor code". What's next, DRM on mp3 files?
But either way, they and MIT both took many "meaningful steps" against aaronsw, and he sidestepped every one.
> I don't mean to say that there should be no recourse in situations where intended access is exceeded, I mean that the bar for a 30 year felony needs to be a little higher than "we didn't intend for our system to be accessed in that manner".
Luckily, 30 years wasn't the sentence in question, even with the heavy-handed prosecution in place, and what transpired was more than "our system was accessed once in an unintended fashion". So the bar probably does need to be moved, but it's not as if he simply wandered near the wrong Wifi hotspot and accidentally mirrored a website...
I'm saying if you choose to configure your server to answer a request, you had better not come back later saying you didn't mean to answer that particular request. It's exactly in the spirit of the web, publishing something at a url is a grant of access to whatever was published.
When Russian authorities jailed Pussyriot for dancing on a church altar under the charges of "hooliganism and inciting religious hatred", it is clear that the authoritarian streak had gone too far.
Many people have thought Swartz's crime was to download documents. But actually, JSTOR has stated they had settled with Swartz and it was not a problem and not to press charges.
What the government actually did is to charge Swartz for WIRE FRAUD. This is for plugging his computer into the MIT LAN. WIRE FRAUD is reserved for people with criminal intent. Aaron's actions were as criminal as Pussyriot's dancing in miniskirts to draw attention to Putin's hand on the Russian government.
The US government will continue to spin this as "hacker" and "document download". Do not get drawn into this. The correct framework to think about this is when Gandhi and his supporters got clobbered by the British police for breaking a salt-making monopoly. To Gandhi, the premise was simple: salt comes from the sea and no one owns it. A law that grants monopolistic rights to limited organisations for something as universal as the sea has no justification.
It is important to note that Aaron was not talking about giving away MP3s etc. He pointed out that scientific papers that were already in the public domain were starting to get locked up behind pay walls. There is nothing right about this. When he started to figuratively walk to the ocean to make his own salt, he was charged with criminal trespass.
As a footnote, after the Salt March - where hundreds of non-violent protesters were beaten up by the police - the British was shown up to be bankrupt of moral authority. This, is the threat the DOJ faces today.
We are not allowed in this country to look across a landscape of lawfully operating organizations and businesses, choose the ones we dislike, and execute plans that abuse their computers to bring about their destruction. That is what Aaron was essentially charged with doing, and there was not NO evidence that that was his plan.
If you think educated people are upset about closed academic publishing, you should talk to the millions of Americans (I AM NOT ONE OF THEM) who are upset about abortion. Better yet, you should listen to their rhetoric, because they don't think they're liberating science and culture; they think they're standing athwart engines of mass murder. They too would like to abuse computer systems to hasten the demise of disfavored organizations, for instance by publishing patient lists stolen from computer systems.
No part of observing this means I have to accept that Aaron was handled reasonably by the prosecutors, that I believe Aaron should have been at any risk of serving prison time, or even that I think that justice demands he walk away with at least a felony conviction. Equivalently, it does not mean that 'tzs is an authoritarian.
Using the "colour of your bits"[0] metaphor, keeptrying is describing the bits, and you are describing the colour.
So, what was actually done, as keeptrying says, was download a few files on a semi-public network, but as you say, the "crimes" associated with that action can be much more significant than looking at what was done out of context.
