Dutch Law Would Authorize Police To Hack Into Foreign Computers And Phones: What Could Possibly Go Wrong?

from the thinking-it-through dept

When we wrote last year about a Dutch idea to give police there the power to break into computers -- even those located abroad -- we and many others pointed out a number of deep flaws with the plan. Undeterred, the Dutch government seems to be going ahead with the scheme, as Bits of Freedom explains:

The police should be allowed to hack into mobile phones and computers, even when these are located abroad. This is proposed by the Dutch government on May 2nd of 2013. While this appears to be a powerful asset for law enforcement, in reality it creates unnecessary vulnerabilities for citizens.

Not content with that really bad idea, there's a couple of others tacked on for good measure, as the BBC reports:

The bill would also make it a crime for a suspect to refuse to decipher encrypted files during a police investigation.

It is expected the draft legislation will be put to parliament by the end of the year.

The bill singles out child pornography and terrorism as two areas of special concern. The publication of stolen data would also become punishable.

It's easy to see how the last of those could be abused to silence inconvenient whistleblowers. Bits of Freedom sums up well the key danger with the bill:

other countries, such as China, will use the powers as a justification for their own activities. They will follow the Dutch example by allowing their police to use the same methods, including hacking abroad, in order to delete controversial data. Civilians will become the victims in an arms race between hacking governments.

Indeed, it's worth considering for a moment what the Chinese response will be when it finds Dutch police, with the full approval of the Dutch government, deleting files or installing spyware on computers on its territory. It won't matter if the latter were involved in breaking into Dutch systems, or controlling a global botnet: national pride will be at stake over what will effectively be an attack on Chinese citizens and property. So as not to lose "face", a robust response is guaranteed. Is the Netherlands (population 6,065,459 16,788,973) really ready to take on China (population 1,353,821,000) over this?

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: computers, hacking, law enforcement, netherlands, surveillance, unintended consequences

Mainstream Press Waking Up To DOJ's Massive Overreaction To Minor Computer Hacks

from the omg-it's-a-computer! dept

We've talked plenty about the government abusing the CFAA to pretend that some minor hacks were some giant criminal conspiracy, but now even the mainstream press is starting to recognize that an overactive Justice Department seems so freaked out by computers that it feels the need to use the CFAA over and over again against minor hacks. We've covered the various cases mentioned in the article in the past, but it's good to see a paper such as the Washington Post call the administration out for its silly overreactions. It's as if they see a computer and assume that something bad must be happening. At no point, when it comes to these cases, does the DOJ seem to step back and look at the actual seriousness of any of these cases.

Filed Under: cfaa, doj, hacking
Companies: washington post

The Greatest Trick The Government Ever Pulled Was Convincing The Public The 'Hacker Threat' Exists

from the the-2nd-was-continuing-taxation-long-after-representation-ceased-to-exist dept

The US government is already fighting wars on several fronts, including the perpetual War on Terror. "War is the health of the state," as Randolph Bourne stated, and the state has never been healthier, using this variety of opponents as excuses to increase surveillance, curtail rights and expand power.

Bruce Schneier highlights a piece written by Molly Sauter for the Atlantic which poses the question, "If hackers didn't exist, would the government have to invent them?" The government certainly seems to need some sort of existential hacker threat in order to justify more broadly/badly written laws (on top of the outdated and overbroad CFAA). But the government's portrayal of hackers as "malicious, adolescent techno-wizards, willing and able to do great harm to innocent civilians and society at large," is largely false. If teen techno-wizards aren't taking down site after site, how is all this personal information ending up in hackers' hands? Plain old human carelessness.

According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches...

By comparison, only 631 breaches were attributed to actual hacking, or at least hacking as it's portrayed by the government. Private entities aren't very worried about being hacked either, at least not from the outside. Their main concern, according to the Privacy Rights Clearinghouse, is "inside jobs" by disgruntled employees.

Nonetheless, the narrative advanced by the government (and passed along by the largely credulous mainstream media) of unstoppable hackers and their omnipresent threat to major companies, the government itself, average Americans and underlying infrastructure, continues nearly unimpeded. This narrative is essential to those in the government who wish to justify large-scale surveillance of anything and anyone connected to the internet. The scarier the image, the more it can get away with.

It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions.

We've seen the overzealous prosecution and expressed disbelief and amazement at some of the interpretations of this outdated law. (Amazingly, Sauter's post was written before the most recent cases of overzealous prosecution.) And instead of fixing the CFAA, legislators are actively working to make it worse, even as overly-broad cybersecurity legislation is being negotiated in secret.

The "modern folk devil" image has become part of the mass consciousness. Anonymous and its various offshoots roam the internet, at turns wreaking havoc and helping the oppressed, like an electronic manifestation of Loki, the Distributed. These activities are duly reported by the media in ominous tones, further driving home the image of the hacker at Millennial Public Enemy No. 1. The acts and the perception of the damage caused by this hacking are miles apart, as is perfectly illustrated by xkcd.

Many members of the American public are already convinced something should be done about hackers. Many of our representatives feel the same way. A lack of knowledge of the underlying technology, much less the methods or culture, hasn't deterred legislators from crafting an overbroad response with the CISPA bill. Examining the issues more closely or reconsidering the legislation doesn't seem to be an option. After all, a "cyber Pearl Harbor" is all but inevitable, a conclusion confirmed by shouting "HACKER!" in the halls of Congress and hearing it echoed back by like-minded representatives, sympathetich government agencies, the media and a subset of the American public.

In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression.

The endgame is more control, and the "hacker" provides an ominous, omnipresent threat that, because of the hacker's naturally secretive nature, can neither be confirmed or denied with any veracity. Much like the War on Terror, this War on Hacking takes rights from the American public, carves out huge chunks and sends the gutted remains back to citizens in a package marked "Safety."

Filed Under: cispa, cybersecurity, fud, government, hacking

UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

from the as-secure-as-an-unlocked,-vellum-paper-door dept

Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.

After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.

Filed Under: hacking, legal threats, parking enforcement, privacy, security, uk, urls
Companies: uk parking control, ukpc

Speak Up And Fix The CFAA

from the don't-make-it-worse dept

A bunch of internet activists, including Fight for the Future and Demand Progress, among others, have launched a new site: FixTheCFAA.com, asking people to contact their lawmakers and demand that they fix the CFAA law, rather than make it worse.

The Computer Fraud and Abuse Act is the law under which Aaron Swartz and other innovators and activists have been threatened with decades in prison. The CFAA is so broad that law enforcement says it criminalizes all sorts of mundane Internet use: Potentially even breaking a website's fine print terms of service agreement. Don't set up a Myspace page for your cat. Don't fudge your height on a dating site. Don't share your Facebook password with anybody: You could be committing a federal crime. (Read more here.)

It's the vagueness and over breadth of this law that allows prosecutors to go after people like Aaron Swartz, who tragically committed suicide earlier this year. The government threatened to jail him for decades for downloading academic articles from the website JSTOR.

Since Aaron's death, activists have cried out for reform of the CFAA. But members of the House Judiciary Committee are actually floating a proposal to expand and strengthen it -- that could come up for a vote as soon as April 10th! (Read more here.)

Thankfully, we've heard that the public outcry over the bad CFAA reform proposal probably (though not definitely) means that it won't be scheduled for a markup this week (as originally intended). However, that doesn't mean it's not still a major risk. There remains strong support from law enforcement folks and the Justice Department in particular for this kind of CFAA reform (the kind that makes it even broader). And, tragically, many in Congress just don't think that the public cares enough to support a bill in the other direction. Hopefully enough people speak up and let them know that this is unacceptable. A law that criminalizes breaking terms of service is not a law worth having on the books.

Filed Under: aaron swartz, cfaa, fix the cfaa, hacking

US Attorneys Reveal Online Bullying To Explain Why People Who Helped Them Prosecute Aaron Swartz Should Remain Anonymous

from the counter-productive dept

We recently wrote about how Aaron Swartz's legal team was arguing with MIT and the DOJ about publicly releasing some of the documents in the case against him. MIT and the DOJ want to keep the names of key people at MIT and JSTOR secret, while Swartz's family says the info should be public. In response, among other things, the US Attorneys' Office has said that, since Swartz's death, they've been bullied and hacked. From the filing:

In my capacity as First Assistant United States Attorney, I have been shown various harassing and potentially threatening email messages directed at United States Attorney Ortiz and the United States Attorney’s Office following Mr. Swartz’s suicide.

Attached at Tab E are copies of the following articles:

a. Swartz case protest at Boston US Attorney’s Home, The Boston Globe, March 12, 2013; and
b. Swartz protesters go to prosecutor’s home, The Boston Globe, March 17, 2013.

In my capacity as First Assistant, I have been shown various harassing and threatening messages directed at AUSA Heymann. One such email I have seen states, among other things:

ROFLMAO just saw you were totally dox’d over the weekend by Anonymous. How does it feel to become an enemy of the state? FYI, you might want to move out of the country and change your name . . .

That same email copies personal information of AUSA Heymann, including his home address and personal telephone number, among other things. AUSA Heymann has also reported to me that his personal information (including his home address, personal telephone number, and the names of family member and friends) were posted online, and that his Facebook page was hacked.

Attached at Tab F is a redacted copy of a postcard that AUSA Heymann has informed me he received at his home.

Attached at Tab G is a copy of a postcard that Professor Philip Heymann has informed me he received.

This is the first postcard they're talking about: The picture in the center is of Philip Heymann, father of Steven Heymann. Steve Heymann led the prosecution of Swartz. His father, Philip is a former deputy attorney general and a professor at Harvard.

Once again, as we've stated numerous times in the past, these kinds of activities, while they may feel like a way to make a statement against those who have done wrong, are incredibly counterproductive and stupid. Rather than making any sort of realistic or helpful point, they just give more ammo to the DOJ to block a full, fair and thorough exploration into what went wrong. Making them into victims is a really pointless move that helps the DOJ continue to cover up the details of what happened by giving them cover.

I recognize that there's tremendous anger towards the US Attorneys' office over this case, and much of that anger is likely justified. But channeling that anger into childish threats doesn't help anyone, least of all Swartz's memory and family. Yes, the prosecution of Swartz was unfair, and I would support a legitimate investigation into what happened and ways to keep the DOJ from such overzealous prosecution in the future (though, I agree with others that this sort of thing is endemic to the DOJ, and wasn't unique to Swartz's situation). But these actions turn the DOJ into victims and give them an excuse to hide behind. These kinds of attacks may make some kids feel better, but they don't help at all.

Filed Under: aaron swartz, anonymous, bullying, carmen ortiz, hacking, steven heymann, us attorneys
Companies: jstor, mit

NATO 'Cyberwar' Manual Says Hacktivists Must Wear A Uniform

from the dressed-to-kill dept

Last year, Techdirt wrote about an interesting article suggesting that we should welcome "cyberwar" since it would be so much less painful than the ordinary kind. Of course, that begs the question what we actually mean by "cyberwar", since some forms are probably less humane than others. As we have pointed out, the use of the totally embarrassing "cyber" prefix is really just an excuse for more government controls and for security companies to get fat contracts implementing them.

Against that background, the following news from The Verge about an attempt to pin down what exactly "cyberwar" might be, is particularly interesting:

A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.

The Tallinn Manual on the International Law Applicable to Cyber Warfare is a fascinating, if rather dry read: it consists of 95 key statements or rules about "cyberwarfare", each followed by pages of academic argument about what that statement means, and why. Mostly, it's about transposing existing law on warfare into the online world, defining things like "sovereignty", "attack", "force", "proportionality" etc. But there's one area where old ideas don't help: that of "hacktivists", defined in the Manual as "A private citizen who on his or her own initiative engages in hacking for, inter alia, ideological, political, religious, or patriotic reasons."

That's because conventional war makes a distinction between combatants -- those fighting in regular armies -- and those who are "unprivileged belligerents". The difference is crucial: the former enjoy important rights, for example to be treated as prisoners of war if captured, whereas "unprivileged belligerents" do not. The distinction between the two groups is relatively obvious in traditional warfare, where combatants are organized and subject to clear command structures. Hacktivists, by contrast, may decide to defend their country by taking part in group attacks from their home or from a local café, say; the issue then becomes whether or not they are to be considered combatants with rights, or "unprivileged belligerents" without them.

The following section from the Tallinn Manual shows the experts floundering here -- and just how hard it is to come up with sensible rules for this "cyberwar" stuff:

Combatant status requires that the individual wear a 'fixed distinctive sign'. The requirement is generally met through the wearing of uniforms. There is no basis for deviating from this general requirement for those engaged in cyber operations. Some members of the International Group of Experts suggested that individuals engaged in cyber operations, regardless of circumstances such as distance from the area of operations or clear separation from the civilian population, must always comply with this requirement to enjoy combatant status.

So if you're ever tempted to engage in a little patriotic hacking into enemy computers, please don't forget to put on your uniform first...

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: cyberwar, hacking, hactivism, nato, rules, uniform

Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It

from the take-a-stand dept

We've been talking a lot about CFAA reform lately, but law professor Eric Goldman is taking it a step further. He's written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of "trespass to chattels" online, in the theory that the online world can be considered not unlike the offline world. Except... it's not so simple. Not at all.

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...

He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

And thus, his recommendation is basically to gut the CFAA almost entirely:

1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

It's difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.

Filed Under: cfaa, cfaa reform, chattles, doj, eric goldman, hacking, internet, laws, trespass, trespass on chattels

Turns Out The One 'Good' Change In CFAA Reform... May Actually Be Bad Too

from the ugh dept

So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for "exceeding authorized access" listing out a few qualifications that needed to be met -- including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.

However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."

If this is true, then you could run afoul of "exceeding authorized access" for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That's because at least a few courts have recently rejected broad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming "exceeds authorized access."

It seems like this bill really is all bad. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.

So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.

Filed Under: cfaa, cfaa reform, exceeds authorized access, hacking

Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of People Who Hacked Them

from the do-these-people-even-listen-to-themselves? dept

Last week, we had talked about some concerns about how various cybersecurity provisions would allow those hit by malicious hackers to "hack back" or, as some call it, engage in an "active defense." There were significant concerns about this, but as Marvin Ammori briefly mentioned in last week's favorites post, Rep. Louis Gohmert seems to not only think hacking back is a good idea, but that it should be explicitly allowed under the CFAA (Computer Fraud and Abuse Act). You can see his explicit statements to this effect below during last week's House Judiciary Committee hearing on the CFAA. It appears he heard a story about someone installing some malware on a hacker's computer to get a photograph of them, and has decided "that's a good thing, that helps you get at the bad guys," without ever thinking of the very, very long list of dangerous consequences of allowing such things: In case the video embed is not working above, I created a short highlight that just covers the ~5 minute exchange involving Gohmert.

Here's the basic transcript. The really crazy part is where Gohmert says he doesn't care as long as the hack back is "destroying that hacker's computer."

Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?

Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.

Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?

Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.

Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?

Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...

Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?

Orin Kerr: No.

Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.

Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.

First off, kudos to Orin Kerr for keeping a (mostly) straight face through that exchange. There are many amazing things about this particular exchange, but the fact that Rep. Gohmert is one of the people in charge of how the CFAA gets reformed, and doesn't understand these very basic concepts, is immensely troubling. Among the headsmackers in that exchange: the idea that hackers are bad -- and not just partially bad, but apparently obviously and totally bad, like out of a movie. Also: that they're somehow easy to identify and that a freebie on hackbacks wouldn't be abused in amazing ways. Further, as Kerr pretty clearly points out that you can't automatically track back and (without saying so directly, but clearly implying) that hackers likely would shield their identity or fake someone else's identity, Gohmert still doesn't get it and somehow thinks that Kerr is saying we don't want to allow hackbacks on US government snooping (which, again, Gohmert seems to have no problem with). Yikes. Please do not let people like this near laws that have anything to do with computers. To me, this level of misunderstanding is worse than the whole "series of tubes" garbage from a few years back by Senator Stevens.

I'm sorry, but it seems that if you can't understand that there isn't some magic list that says "these hackers are bad, and therefore we should destroy their computers," I don't think you should have any role in making laws around this topic.

Filed Under: cfaa, destroying computers, hackers, hacking, louis gohmert, orin kerr