Aaron projects/CFAA

From Noisebridge
Revision as of 14:18, 9 November 2013 by 192.54.222.3 (talk)
Jump to navigation Jump to search
Work in progress; please link to other work here

Draft of Principles being edited online

Draft outline of replacement law underway
Goal
Let's prepare for a full repeal of the CFAA and replacement with sane law.
Questions
How would we construct good law in these areas, from scratch?
How do different areas of law, policy, and internet governance view the law and its impact?
What would it take to generate support for a [repeal + replace] action, in each area?
What are the professional and philosophical circles for each of these areas, where these issues are discussed?

Overview

The CFAA was developed over time as a merger of ~7 different areas of law. It has developed in an aggregate way, and few groups are happy with the current law. It is so broad that prosecutors like it because they can use it to force plea bargains, since it applies to almost everything in its sphere of action (relying on prosecutorial judgement).

Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online. Authorization based on code, contract, social norms. Legal frameworks used to push political means. Career standards for prosecutors defined in political ways.

Background

Aaron's Law
Govtrack updates
  • H.R. 2454 (Lofgren bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
  • S. 1196 (Wyden bill; referred to Senate Judiciary)
  • H.R. 2077 (Perlmutter bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
  • S. 1426 (Blumenthal bill; referred to Senate Health, Education, Labor, and Pensions Committee)

Comparative Law

Details

Aspects of the search
  • "Advanced technical crime" -- The deployment of the SS was a bit peculiar; but they were the only fed. agents trained in what they were looking for.
Civil rights concerns
  • Part of the prosecution that was particularly troubling: at one point in the invest., it felt that they were keeping the prosecution going b/c they'd spent so much time bringing it along. There was no will from victims to keep it going, and not necc. any other desire, but the prosecutors for their own reason wanted conclusion.
    Suggestion: employ economists to remind people of sunk costs
Three levels of problem
  • Occlusion of different agendas and sets of laws
    Compare pre-computer to post-computer laws for identical crimes.
  • Problems with prosecution as it happens today
    Motivations for initiating/closing cases
  • The nature of CFAA as it's been employed
    Failure of proportionality

Legal elements

There are 7 planks to 18 U.S.C. § 1030

  1. Knowingly accessing a computer without access or exceeding access, and obtaining security, foreign relations, atomic info
    rarely used, as it is substantively overlapped by other ares
  2. Intentionally accessing a computer without access or exceeding access, and in so doing obtaining "information," financial records, or U.S. government info.
    the biggest and most frequently used for access-and-downloading type offenses
  3. Accessing without authorization (not "exceeding") a US government owned or controlled computer
  4. Equivalent to the statute on wire fraud, but replacing "wire" with "computer" and tweaking the details
    Overlap with WFA, rather irrelevant in current environs
  5. Computer damage
    three separate crimes ("damage" = impairment to integrity and availability of data; "loss" = reasonable cost of responding to offense, including costs of damage assessment)
    knowingly cause transmission of program and intentionally cause damage
    intentionally access a computer and as a result recklessly cause damage
    intentionally access a computer and as a result cause damage and "loss"
  6. Password Trafficking
  7. Extortion through use of computer

Guiding principles

compare Necessary and Proportionate principles

What substantive things should be in a rational computer crime law?

Positive principles

(see the draft)

Parallelism with non-computer crime law
Proportionate punishment


Negative principles

Avoid confusion/overlap between different parts of the government
in terms of means and ways
  • b/t different parts of the government
  • b/t different phil and pol goals
  • b/t social-good and infosec goals

Points of consensus

Based on conversations with folks at the Cambridge/Boston hack, these principles emerged as points of agreement. Other groups feel free to chime in as well.

  • Scope should be limited - the law should not run to the boundary of what we find ethical or moral. We want people to have freedom to "mess around" with the web (perhaps with some negligence-based liability if they cause actual damage). As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme.
    • we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.
  • focus on bad access, leave use to other laws - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.
    • In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law.
  • hold the party intending to do the bad behavior culpable - don't track liability to a person whose computer was unwittingly used to commit the crime.
  • Consent should always be a defense - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.
  • Circumvention of a code-based authentication measure should be unlawful (leaving proportionality for another discussion). This includes cracking, password guessing, or human-engineering password disclosure.
  • Exploiting a code-based vulnerability to obtain information should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack.
  • As to code-based vulnerabilities and authentication measures, some level of technical effectiveness should be considered. A "reasonable" standard may not be appropriate, as defining what is "reasonable" may lead to unnecessary confusion. But some consideration should be made to ensure that trivially-overcome measures are not considered within the scope.
  • Knowingly deleting or impairing the integrity of the work should be unlawful if done intentionally or recklessly. Moving down to negligence or strict liability at a certain damage threshold is harder to say.
  • penetration testing is squishy - an open call for bug bounties should be treated like consent to access the site (again, using laws govern bad uses)
  • "accidentally open" sites is squishy - e.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful.

Open questions

Feel free to suggest brief answers, pointers to where this is discussed.

Does 'authentication' make sense as the basis for such a law?
As opposed to other corollaries re: trespass and access. Compare historical ways of handling these issues.
Is feigning authentication fraud? (when simply making up a new account; impersonating yourself, and not someone else)
Where do the following edge cases fall?
  • 'sockpuppeting' authentication where it's assumed you have one-account-per-user?
This is rarely prevented clearly.
Not the worst thing to do; it's not the same as impersonating a real person
  • Circumventing the auth process altogether?
This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit
Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked)


What's the ECTF doing? Who could provide oversight?
(cf fix-hacking-laws essay and Robert Graham's comment)

Active proposals

Aaron's Law

Lofgren & Wyden

  • Lower some of the penalties for crimes that produce little or no harm,
  • Delete a provision that is repeated elsewhere in the statute
    Amend the Wire Fraud Act
  • Clarify once and for all that violating terms of service agreements is not a crime.
    NB - Chin in US v. Drew - precedent that an individual, violating a TOS without a script, is pretty clearly not a crime. But it is still always used as a threat to amplify perceived risk.
    Limit scope of "exceeding authorized access"
current status
  • referred to the Committee on Crime, Terr, Homeland Security subcomm of Judiciary Committee (chair: Sensenbrenner)
  • lower penalties for crimes that produce little or no harm
  • cleanup: delete repeated provision, delete provision repeated in WFA
  • clarify once and for all that violating TOS is not a crime (nb: it can still be prosecuted civilly)
Fork the Law page, listing legal history and proposed changes


Creating something new

Manifesto
Drafting example legislation?

Additional needed resources (1 hour projects)

  • mapping out where the CFAA overlaps with existing law; identifying areas left untouched.