Nominee For Attorney General Tap Dances Around Senator Franken's Question About Aaron Swartz
from the fix-the-cfaa dept
We've discussed for years how broken the CFAA (Computer Fraud and Abuse Act) is. The law, which was written many years ago, is problematically vague in certain areas, allowing prosecutors to claim that merely breaking a terms of service you didn't read is a form of felony hacking -- as they define it as "unauthorized access." While there have been many egregious CFAA cases, one of the most high-profile, of course, was that of activist Aaron Swartz, who was arrested for downloading too many research papers from JSTOR from the computer network on the MIT campus. The MIT campus network gave anyone -- even guests -- full access to the JSTOR archives if you were on the university network. Swartz took advantage of that to download many files -- leading to his arrest, and a whole bunch of charges against him. After the arrest, the DOJ proudly talked about how Swartz faced 35 years in prison. Of course, if you bring that up now, the DOJ and its defenders get angry, saying he never really would have faced that much time in prison -- even though the number comes from the DOJ's (since removed) press release.Swartz, of course, tragically took his own life in the midst of this legal battle, after facing tremendous pressure from the DOJ to take a plea deal as a felon, even as Swartz was sure he had done nothing illegal or wrong. Since then, there have been a few attempts to update the CFAA to block this kind of abuse, but they have been blocked at every turn by a DOJ that actually wants to make the law even worse. This includes the White House's latest proposal for CFAA reform, which would actually make more things a felony under the CFAA, and could drastically increase sentencing for things that many of us don't think should be a crime at all -- such as tweeting out a list of worst passwords on the internet.
Outgoing Attorney General Eric Holder has done his best to ignore or downplay any suggestion that his Justice Department abused the CFAA in going after Swartz. And it looks like his likely replacement is trying to do the same.
Senator Al Franken questioned nominee Loretta Lynch about Swartz and the CFAA and got back a response that is basically her avoiding the question. She doesn't say anything about Swartz, but goes off on some FUD about the dangers of malicious hackers and how the DOJ needs the tools to fight spyware. She then claims that the newly proposed CFAA changes are okay because they only increase the possible maximum sentences, but not the minimums, leaving things up to the discretion of judges (and prosecutors):
Question 1. The Computer Fraud and Abuse Act (CFAA) has received attention for its potentially harsh penalties. In 2013, I wrote a letter to the Department of Justice expressing my concern about the way in which Aaron Swartz was aggressively prosecuted under the CFAA, and associating myself with a similar letter by Senator Cornyn. The Department’s response was, in short, that the prosecution of Swartz was consistent with the Act. Since then we have heard many people – from all over the political spectrum – call for reform of the CFAA. Recently, the White House announced a proposal to amend the Act. Some have characterized the proposal as a step in the wrong direction, noting – for example – that it would increase certain sentences. What is your assessment of these criticisms, and what is your opinion of the proposal?This, of course, misses the point. First, it assumes that longer sentences are somehow going to do anything to diminish the likelihood of malicious attacks. It won't. This is such a total braindead law enforcement view of things: that if only there were greater punishment it would scare the "bad people" out of doing what they're going to do. That's never really worked, and especially not in this area, where the law is being abused to go after people who don't think they're actually doing anything wrong.
RESPONSE: I believe that the Department of Justice has a responsibility to protect Americans from invasions of their privacy and security by prosecuting and deterring computer crimes. Accordingly, we must ensure that the CFAA, like all of our tools, remains up-to-date and reflects the changes in the way that cybercrimes are committed, changes that have occurred in the decades since it was first enacted. For example, I understand that the Administration’s proposals include provisions designed to facilitate the prosecution of those who traffic in stolen American credit cards overseas, to enable the Department to dismantle botnets that victimize hundreds of thousands of computers at a time, and to deter the sale of criminal “spyware.”
With respect to the sentencing provisions contained in those proposals, I believe it is appropriate to ensure that, in the event a defendant is convicted of a hacking offense, the sentencing court has the authority to impose a sentence that fits the crime. For example, the enormous harm caused by the massive thefts of Americans’ personal financial data from retailers illustrates the need to ensure that the maximum sentences available are adequate to deter the worst offenders. As the level of harm caused by the worst cybercrimes increases, I support increasing the maximum penalties available to punish those crimes to a level commensurate with similar crimes, such as mail fraud or wire fraud.
It is also important to understand that these statutory maximum sentences do not control what sentence is appropriate for less significant offenses under the CFAA. In many criminal prosecutions, including prosecutions under the CFAA of all but the most serious offenses, the statutory maximum penalty has little or no impact on the sentencing of convicted defendants. Instead, in each case, prosecutors make individualized sentencing recommendations, and judges make individualized decisions, based on such factors as the facts of the case, the offender’s history, and the U.S. Sentencing Guidelines.
Finally, I note that the Administration’s 2015 proposal does not include any new mandatory minimum sentences, and I support the decision not to seek any such new sentences in the CFAA at this time.
Second, it just plays up the FUD that "bad stuff is happening" so "something must be done." But it ignores how vague the law is and how it's wide open to abuse. A good law enforcement official would ask for clearer laws that more narrowly target actual bad behavior, rather than celebrating a broad and vague law that can be, and is, widely abused just to rack up more DOJ headlines and "victories."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aaron swartz, al franken, attorney general, cfaa, doj, loretta lynch
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bad reasoning
"This is something."
"Therefore, we must do this."
[ link to this | view in thread ]
TL;DR summary
"SIT BACK AND WATCH BECAUSE YOU AIN'T SEEN NOTHIN' YET!! WE ARE GOING TO LIGHT. UP. SOME NON-VIOLENT MOFOS!! WOOOOOO!!!"
[ link to this | view in thread ]
She got my attention at hello.
[ link to this | view in thread ]
As has been pointed out before when you've posted articles about the supposed "persecution" of Aaron Swartz, this is nowhere near the whole story. IIRC the relevant part is the bit where--before getting arrested--his network access had been revoked for previous shenanigans.
MIT was running a network that, as you point out, was open to the public, even guests. In the real world, if you run a business that is open to the general public, but one specific person causes trouble and management tells them to leave because they aren't welcome, and then they come back, no one would find it unreasonable to call the police and have them arrested for trespassing.
Why is it that when Aaron Swartz does something that is exactly equivalent to this crime, except on a computer, that everyone tries to defend him and say he did nothing wrong?
[ link to this | view in thread ]
T.U. Deletes Your FB Post
[ link to this | view in thread ]
Re:
I will simply posit that the looming threat of inordinate amounts of prison time is not at all a just response to what amounts to a sit-in or a protest.
He didn't flounder into a closet and plant a bomb.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
Just because you like what he was trying to accomplish does not mean that how he was going about accomplishing it should be justified. Otherwise, you are literally arguing that the ends justify the means... when it's ends you agree with.
[ link to this | view in thread ]
Too big to fail
Hmm, so in other words, are you suggesting that these malicious attackers are too big to fail?
[ link to this | view in thread ]
Re: Bad reasoning
Poetic tyranny
[ link to this | view in thread ]
Re: TL;DR summary
[ link to this | view in thread ]
Re:
http://www.criminaldefenselawyer.com/crime-penalties/federal/Tresspassing.htm
While state laws allow judges the ability to impose a jail sentence for trespassing, convictions that result in jail time are uncommon. The potential jail sentences for most trespassing convictions range from several days to several months in jail. However, some states allow for up to a year or more in jail for the most serious trespassing crimes.
Note that trespassing in a public place is also not a felony, but a misdemeanor.
Contrast that with a 35-year felony... because of "on a computer".
[ link to this | view in thread ]
[ link to this | view in thread ]
Missing the point
The question should be more aimed at figuring out the type of people that the DoJ plans to prosecute under the CFAA. Will she continue to go after the low-hanging fruit to make headlines (just so they can remove them later?) or will she focus her attention on the far more damaging attackers?
Unfortunately, prosecutors are prosecutors. If they decide to go after someone, whether they are a harmless kid or a black-market kingpin doesn't matter; prosecutors go all-in. Once they decide to press charges, they will press any and all possible charges.
[ link to this | view in thread ]
Re:
So yes he does not have to say that MIT told Aaron to stay off their network, its sorta the same as walking on the grumpy old mans lawn and him yelling at you to get off the lawn. It should be a talking to not a possible 35 year sentence.
If the grumpy old man killed the guy for walking on it do you not think people would be outraged? Its sorta the same thing here the DOJ made the punishment worse than the crime.
If you think downloading a bunch of papers that anyone can get access to is worse than murder, I think you are one of the problems in this world.
[ link to this | view in thread ]
Re: Too big to fail
That would be much cheaper than the billions they are currently losing and also doesn't require making it possible to charge the next Aaron Schwartz with life in prison.
[ link to this | view in thread ]
Re:
Your analogy works, but you need to extend it a bit. Most people WOULD find it unreasonable if the penalty for trespassing was 35 years in prison. The punishment should have some relation to the harm done.
[ link to this | view in thread ]
Re:
And you know, its difficult to believe anyone who opens up with their understanding of rights, who then completely dismisses when they proceed to write about things that completely tramples them.......its like an obligatory mention that holds no meaningfull value to them, a lie to not make them seem so bad after expressing the opinions that make the lie..............i find myself thinking now as i have many times in the past, is it on purpose, do they not care, or is it some sort of sub concious lie, ........mmmmm, a conditioned lie maybe.......peer pressure, knowing if you dont toe the line, the environment being built the way it is, you'd be spit you out i.e. ridicule, fired, lawsuit, finance sabotage, arrest, prison, violence, death...........god dammit, thats not freedom
[ link to this | view in thread ]
Re: Re:
I forgot threatening
All of those things are the unsaid threat of what will eventually happen if you dont do as your told even if you know its wrong........that does not make an atmosphere of freedom, quite the fukin opposite........invisible chains are still chains
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
a glacier has more self-awareness than a wheeler...
so-o-o-o, you *would* (i mean you WOULD, richtig?) excoriate gummint institutions who argue that the ends justify the means, right ? ? ?
right ? ? ?
no, you do not, you are an abject authoritarian through and through; gummints can (and do) do a thousand times worse than aaron, and you won't open your yap...
[ link to this | view in thread ]
Re: Re: Re:
Add the article to your “reading shelf” to read the full text.
Save up to 3 articles on your shelf at a given time. After 14 days, you can remove articles and replace them with new ones. (That's up to 78 articles a year, FREE!)
Not to get all meta about shit but that sounds like a Verizon add to me lol...
And, that is not funded by the public and publicly available either.
It may be the 80+ dead shows under my belt but if a bunch of hippies can figure out how to archive literally everything I think MIT can sort out how to not be entirely disingenuous.
Shit, I would gladly house a gig of that stuff on my home computer and just farm it out over P2P to whoever needs whatever.
If folks can make games to fold freaking proteins I think we can publicly make available stuff that by law, or at least edict, is supposed to be readily available in the first place.
[ link to this | view in thread ]
Re: Re:
Please bear in mind that the only person involved in this case who "killed a guy" was Aaron Swartz.
[ link to this | view in thread ]
Re: Re:
(from http://www.criminaldefenselawyer.com/resources/criminal-defense/felony-offense/felony-classes-charge s-penalties)
Remember, with felonies, the punishment doesn't end when you leave prison.
All for a crime that, as Mason Wheeler so neatly summarized it, "is exactly equivalent to this crime", where "this crime" is strongly implied to be "misdemeanor trespassing".
All I can say is, that certainly seems to fall into the category of "Fair & Balanced" - in the Fox News sense of the phrase, at least.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
That's all I need to know about the DOJ. They don't care about cracking down on high impact criminals. They only go after small potatoes while totally ignoring serious fraud happening by the heads of corporations on a global scale.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
The current American government is considered the most openly corrupt one in a long time
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
And sign in, Art G, if you're going to post this nonsense.
[ link to this | view in thread ]
Funny, back in the day- driving while intoxicated got you a slap on the wrist. Now it'll get you hefty fines and/or jail time. Serious sentences are in store for repeat offenders. Fast forward to today and per capita drunk driving has plummeted. Seems like the likelihood of a severe punishment has many people refraining from that sort of conduct.
[ link to this | view in thread ]
Re: Re: Re: Re:
Swartz was indoctrinated by a well-known idiot, Lawrence Lessig. He thought that he could break the law and not be punished. When faced with the everyday reality of having consequences for his actions, he killed himself. Smooth.
And this is the guy Techdirt tries to hold up as its hero. Figures.
[ link to this | view in thread ]
Re:
MIT didn't "ask a person to leave", they blocked his MAC address. A MAC address doesn't equal a person any more so than an IP address does. Aaron simply spoofed his MAC address, like any computer literate person would do when a device isn't connecting to a network.
Would you see it differently if Aaron had purchased a dozen laptops and used those instead of spoofing his MAC address? To me they are one and the same.
The physical trespassing charge for entering the wiring closet was the only legit charge against Aaron, if you ask me.
[ link to this | view in thread ]
Re: Re:
As a computer literate person, I take exception to this. If my computer wouldn't connect to the network, I would attempt to troubleshoot the issue, and if was unable to resolve it on my own I would speak with the network administrators. If they told me that I was blocked, I would attempt to resolve the issue like a civilized human being, by reasoning with someone with the authority to remove the block... or just find a different network. Instructing my computer to lie about its identity in order to break into a network that someone in authority had deliberately locked me out of would never even cross my mind; that is the act of a criminal, not "a computer-literate person".
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Personally, I doubt that Aaron thought he was breaking law in this instance (with the possible exception of the physical trespassing - but even there I'm not sure - was there a "No Admittance" sign on the door or was it locked?)
Aaron would have learned from his previous encounter with the DOJ concerning PACER.
[ link to this | view in thread ]
Re: Re: Re:
I spoof a random MAC address every time my laptop boots on general privacy principles. I guess that makes me "criminal" in your mind.
[ link to this | view in thread ]
Re: Re:
"Paid off" has such ugly connotations. Upstanding US Citizens prefer the term "Campaign Contribution".
[ link to this | view in thread ]
Re: Re: Re:
In all fairness, talking with the network administrators is a step I take only when literally everything else I've tried has failed. Theoretically, this would include MAC spoofing if I suspected that the problem was related to my MAC address.
[ link to this | view in thread ]
Re: Missing the point
When it comes to stuff that the legislature is ignorant of (like things related to networking), they have this nasty standard practice of passing laws that allow for egregiously draconian action and saying that it's OK because law enforcement will use appropriate discretion in applying the law. Something that has, as far as I know, never actually held true.
So we have the cops pointing to the lawmakers and saying "but they said we could!" and the lawmakers saying "we trust the cops to do the right thing". It's a recipe for tyranny.
[ link to this | view in thread ]
Best of the bad?
[ link to this | view in thread ]
Re:
However, I think this is a complex thing. Sometimes increasing severity can have a deterrent effect. Sometimes it obviously does not. I suspect that it might be that for any given offense, there is a maximum effective punishment severity level. As you increase severity, deterrence increases as well, but once a threshold is reached, ratcheting the punishment up even further no longer increases deterrence (and begins to have the opposite effect if the severity is raised high enough). Where that threshold is depends on the crime.
[ link to this | view in thread ]
Re:
1) You don't get felony prosecution for trespassing.
2) JSTOR was the "injured" party not MIT.
[ link to this | view in thread ]
Re: Re: Re:
Before you so casually through out the 'criminal' accusation from up on your high horse, why don't you explain what harm his actions were causing that could possibly justify the harshness of the punishment he was facing.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
The vast majority of laws on the books today work on the (unstated) underlying premise assume that some sort of physical presence within a jurisdiction is required to commit a crime.
The internet breaks this premise...
[ link to this | view in thread ]
Re: Re: Re: Re:
Indeed. And in a large campus environment (of which MIT is one) the network administrators are often intentionally heavily shielded from the general user base, much less the guest user base. This is to allow them to remain productive.
It's easy to say "I'd just get a hold of a network admin for a guest network in a large environment." It's another thing to actually do it. Want to know how hard it is to get to someone who knows what they're doing on a guest network? Go to a largish venue with a guest network. Say, a MLB stadium, or a NHL Arena. A big convention center - during a convention - might work. If you've got a college campus with open wifi near by, use that. Pretend you're having trouble getting online, and try to figure out how to get a hold of tech support - much less a network admin - for the guest network at the venue. The results are probably going to be enlightening.
[ link to this | view in thread ]
[ link to this | view in thread ]
But the Federal Government wanted to make a big show out of this minor case. Federal Prosecutors got their ego involved and decided to show how tough they are.
No big show or toughness for Wall St bankers. No big show or toughness for banks laundering drug money. No big show for corporate bribery or influence peddling or anything else done by the privileged executive class.
The big show and the toughness are reserved for the little guy who steps out of line. It shows all of us who's the boss.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:# 43 John Fenderson
[ link to this | view in thread ]
Re:
And if he had just been charged with trespassing, or the digital equivalent, you'd be right, and very few people would have had a problem with it. That however, is not how the case went. Instead, he was facing felony charges, even if he agreed to a plea deal, and decades of jail time. All for what you yourself compare to 'trespassing'.
That doesn't seem a little excessive to you?
[ link to this | view in thread ]
Re: Re: Re:
ROFL
[ link to this | view in thread ]
Re: Missing the point
These are the kinds of questions one asks job candidates to see how they would behave. There is a wide range of behaviors available to prosecutors given the exact same potential cases crossing their desks.
[ link to this | view in thread ]
...Or take down botnets, or the markets where such criminal tolls and services are sold.
Problem is they never do this. No, they go after someone downloading academic papers. Or internet services where some infringing material might be indexed by search, or even hosted. Heaven forfend they ever do anything about scammers, spammers, and actual criminals who crack into systems and copy stuff like credit card data.
Beat that low-hanging fruit with a bat, guys. Never mind the carnivorous predators hiding up in the tree. Too hard.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
I don't think the maximum sentences are really a problem
Maximum sentences are already published, so the only reason for the prosecution to reiterate them to the court, the defence, or the media is to threaten the defence - a practice that should be frowned upon by the court.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Uh, you miss the whole point
That isn't the point. The point is that activities in those areas are increasing while the courts do not have more time to deliver justice available.
The further the gap between minimum and maximum sentences gets, the more power prosecutors have for blackmailing even innocent persons into a plea deal. This does not only mean that rather expensive court cases can be avoided but it also means that there is no such ineffectual thing as an acquittal to be feared.
So if a prosecutor wants to get twice the number of cases hauled through court than his competitors, it is rather essential that there are large maximum sentences. It's rather an advantage than a disadvantage when the minimum sentences remain small: that way you'll get more customers for your bargain plea deals even among the obviously innocent.
[ link to this | view in thread ]
Re: I don't think the maximum sentences are really a problem
The law should be that plea deals aren't allowed, period. They subvert the entire process and reduce what "justice" remains in the justice system.
[ link to this | view in thread ]
is Aaron part of the nail-gun suicide list?
,too?
[ link to this | view in thread ]
Re: Re:
JSTOR was not injured. Their stuff was free to take. They didn´t like how he did it. They´d no right to complain.
MIT was injured, but only as much as any of their students could injure it any day. They didn´t want to press charges.
[ link to this | view in thread ]
AG Nominee
They do not support her, and compare her to Susan Rice. I would recommend reading the assessment, altho I doubt if my opinion will change any votes.
At least it gives a different view than that of the NYT or WaPo.
I am still bemused that Obama wants us to move from Hold'er to Lynch!
[ link to this | view in thread ]