Aaron projects/CFAA: Difference between revisions
Line 87: | Line 87: | ||
* b/t different phil and pol goals | * b/t different phil and pol goals | ||
* b/t social-good and infosec goals | * b/t social-good and infosec goals | ||
=== Open questions === | |||
Feel free to suggest brief answers, pointers to where this is discussed. | |||
; Does 'authorization' make sense as the basis for such a law? | |||
: As opposed to other corollaries re: trespass and access. Compare historical ways of handling these issues. | |||
== Active proposals == | == Active proposals == |
Revision as of 10:19, 9 November 2013
- Goal
- Let's prepare for a full repeal of the CFAA and replacement with sane law.
- Questions
- How would we construct good law in these areas, from scratch?
- How do different areas of law, policy, and internet governance view the law and its impact?
- What would it take to generate support for a [repeal + replace] action, in each area?
- What are the professional and philosophical circles for each of these areas, where these issues are discussed?
Overview
The CFAA was developed over time as a merger of ~7 different areas of law. It has developed in an aggregate way, and few groups are happy with the current law. It is so broad that prosecutors like it because they can use it to force plea bargains, since it applies to almost everything in its sphere of action (relying on prosecutorial judgement).
Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online. Authorization based on code, contract, social norms. Legal frameworks used to push political means. Career standards for prosecutors defined in political ways.
Background
- Aaron's Law
- Analysis from January, EFF suggested changes
- June update via Lofgren, July update via Wyden
- EFF action page - send a letter to your senators
- Govtrack updates
- H.R. 2454 (Lofgren bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
- S. 1196 (Wyden bill; referred to Senate Judiciary)
- H.R. 2077 (Perlmutter bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
- S. 1426 (Blumenthal bill; referred to Senate Health, Education, Labor, and Pensions Committee)
Comparative Law
Details
- Aspects of the search
- "Advanced technical crime" -- The deployment of the SS was a bit peculiar; but they were the only fed. agents trained in what they were looking for.
- Civil rights concerns
- Part of the prosecution that was particularly troubling: at one point in the invest., it felt that they were keeping the prosecution going b/c they'd spent so much time bringing it along. There was no will from victims to keep it going, and not necc. any other desire, but the prosecutors for their own reason wanted conclusion.
- Suggestion: employ economists to remind people of sunk costs
- Three levels of problem
- Occlusion of different agendas and sets of laws
- Compare pre-computer to post-computer laws for identical crimes.
- Problems with prosecution as it happens today
- Motivations for initiating/closing cases
- The nature of CFAA as it's been employed
- Failure of proportionality
Legal elements
There are 7 planks to 18 U.S.C. § 1030
- Knowingly accessing a computer without access or exceeding access, and obtaining security, foreign relations, atomic info
- rarely used, as it is substantively overlapped by other ares
- Intentionally accessing a computer without access or exceeding access, and in so doing obtaining "information," financial records, or U.S. government info.
- the biggest and most frequently used for access-and-downloading type offenses
- Accessing without authorization (not "exceeding") a US government owned or controlled computer
- Equivalent to the statute on wire fraud, but replacing "wire" with "computer" and tweaking the details
- Overlap with WFA, rather irrelevant in current environs
- Computer damage
- three separate crimes ("damage" = impairment to integrity and availability of data; "loss" = reasonable cost of responding to offense, including costs of damage assessment)
- knowingly cause transmission of program and intentionally cause damage
- intentionally access a computer and as a result recklessly cause damage
- intentionally access a computer and as a result cause damage and "loss"
- three separate crimes ("damage" = impairment to integrity and availability of data; "loss" = reasonable cost of responding to offense, including costs of damage assessment)
- Password Trafficking
- Extortion through use of computer
Proposed solutions
Aaron's Law
- Lower some of the penalties for crimes that produce little or no harm,
- Delete a provision that is repeated elsewhere in the statute
- Clarify once and for all that violating terms of service agreements is not a crime.
- NB - Chin in US v. Drew - precedent that an individual, violating a TOS without a script, is pretty clearly not a crime. But it is still always used as a threat to amplify perceived risk.
- current status
- referred to the Committee on Crime, Terr, Homeland Security subcomm of Judiciary Committee (chair: Sensenbrenner)
Principles
- compare Necessary and Proportionate principles
What substantive things should be in a rational computer crime law?
Positive principles
- Parallelism with non-computer crime law
- Proportionate punishment
Negative principles
- Avoid confusion/overlap between different parts of the government
- in terms of means and ways
- b/t different parts of the government
- b/t different phil and pol goals
- b/t social-good and infosec goals
Open questions
Feel free to suggest brief answers, pointers to where this is discussed.
- Does 'authorization' make sense as the basis for such a law?
- As opposed to other corollaries re: trespass and access. Compare historical ways of handling these issues.
Active proposals
Patching existing law
- EFF proposals and ideas
- Limit scope of "exceeding authorized access"
- Say: contractual violation can't be the basis for this
- Amend the Wire Fraud Act
- Say: contractual violation can't be the basis for this
- lower penalties for crimes that produce little or no harm
- cleanup: delete repeated provision, delete provision repeated in WFA
- clarify once and for all that violating TOS is not a crime (nb: it can still be prosecuted civilly)
- Fork the Law page, listing legal history and proposed changes
Creating something new
- Manifesto
- A la necessary and proportionate manifesto created after PRISM: https://necessaryandproportionate.org/text
- Hack on this version: CFAA replacement
- Drafting example legislation?
Additional needed resources (1 hour projects)
- mapping out where the CFAA overlaps with existing law; identifying areas left untouched.