Thursday, January 17, 2013

Aaron's Law: repeal CFAA rather than amend it

I hereby give you complete authorization to access over a network (but not physically) any computer I own. Nothing you do is unauthorized or exceeds authorization in terms of the CFAA.

The solution fixing the "Computer Fraud and Abuse Act" is not to amend it but to get rid of it. The Internet is world-wide, 95% of hackers trying to break into your computers are beyond the reach of U.S. law. Rather than providing a meaningful deterrent to bad hackers, what the law really does is create a chilling effect for our own creative geniuses. Genius geeks from Steve Jobs to Aaron Swartz should feel free to push the boundaries of technology without prosecutors and juries second guessing them.

Getting rid of the CFAA doesn't actually expose you to additional danger, which I demonstrate in the statement above. My computers are secure, which means that while I've given you legal access in terms of the CFAA to hack my computers, I haven't given you real access by giving you a password or username. I don't need the CFAA to protect my computers, I can protect them just fine myself. Or, if I can't, I've only made the threat 5% worse giving US citizens permission alongside all the hackers from Russia, China, Brazil, and so on.

Getting rid of the CFAA doesn't get rid of other crimes. While I've give you permission to access my computers, I haven't given you access to my bank account or credit card number. Neither have I given you permission to physically steal the computer. This means all those hackers who are now behind bars for stealing money would still be behind bars.

7 comments:

Toby said...

This argument is quite interesting. But I'm not sure it's totally valid.

The US has proved itself quite capable of projecting its legal authority outside of its own jurisdiction. One only needs to consider the Dotcom (MegaUpload) case, or the numerous instances in which a foreigner has been extradited to the US for intrusions against US systems (e.g. plenty of Brits and Aussies) to see that these laws apply to many more than just US citizens.

Chris said...

I totally agree. It changes nothing to admit that the only thing keeping your copies in their can is the code you already control, and it diffuses a legal land-mine. Harmful actions are still illegal, and DeMorgan's laws still work. If only the rest of the world made as much sense.

Chris said...

If 95% of the hackers are outside of the US, and including the US increases the number by 5%, where are the remaining 0.25% of the hackers? :)

Robert Graham said...

Chris: space aliens at Area 51, obviously.

Peter Mawell said...


While I suspect the US laws are far too harsh and badly applied, I do not think you have made a sufficient argument to not legislate at all in the area. As Toby pointed out, the US does have extradition treaties with many other countries, which do not need much at all to invoke, e.g. all that is required to extradite from the UK to US is "reasonable suspicion" and not even setting out of a prima facie case. While China and Russia are probably beyond the reach, the law is not without force, as people like Gary McKinnon discovered.

If you personally permit people to access your computer(s), for most folk that is equivalent to giving them the "keys to the kingdom": it will often allow access to bank accounts, etc. The fine-print that comes with bank accounts normally stipulates that you must take reasonable precautions to protect the access credentials, so by permitting strangers to access your computer you have tacitly taken on liability for anything they do with your bank accounts.

In every other area of life, we have laws for theft, breaking-and-entering, etc. There is a presumption that people should take reasonable precautions but after that the protection falls to that of the law. There is no reason why computing should be much different: most people cannot protect their systems to the level you can, they are not security experts and should not be expected to be so.

What needs reformed is the US government and authorities attitude to computer crime: the potential 35 year term if convicted re Swartz was just absurd. Arguably, the whole justice system in the US is similarly extreme when it comes to sentencing, although I get the impression people are afforded more concrete rights in terms of process compared to other countries.




Unknown said...

The Internet is world-wide, 95% of hackers trying to break into your computers are beyond the reach of U.S. law. Rather than providing a meaningful deterrent to bad hackers, what the law really does is create a chilling effect for our own creative geniuses. Birmingham Process Servers

Moulton said...

"I hereby give you complete authorization to access (over a network) any computer I own."

As you know, Rob, the above license would theoretically permit me to open an ssh tunnel that would enable me to surf over to Volokh Conspiracy via your machine's IP address rather than mine.

"Now what would be the point of that?" an idle observer might ask.

I imagine that Rob (not being an idle observer) would quickly apprehend that it would allow me to knowingly violate the CFAA by circumventing Orin Kerr's otherwise unannounced withdrawal of authorization for me to engage in conversation with him and his co-bloggers at Volokh Conspiracy.

Now were I to do that, and resurface at VC, I have no doubt Orin would quickly block Rob's IP, just as he blocked mine.

But just as Rob can blithely change his MAC address on a LAN, I can also blithely change my own IP address by simply rebooting my Verizon DSL modem.

So what would be the point? Surely not to annoy Orin with questions on the purpose of the law he'd rather not have to respond to.

So why would I intentionally violate the CFAA by party-crashing Eugene Volokh's "big party"?

I suppose one could come up with lots of reasons ranging from "for the lulz" to "for a conscientious exercise in civil disobedience" to promote the advance of civilization.

But I suppose from an ethical point of view that would be a fool's errand, which is the last thing in the world I would want to do.