How to fix the CFAA

Someone on Twitter asked for a blogpost on how I'd fix the CFAA, the anti-hacking law. So here is my proposal.

The major problem with the law is that the term "authorized" isn't clearly defined. You non-technical people think the meaning is obvious, because you can pick up a dictionary and simply point to a definition. However, in the computer world, things are a bit more complicated.

It's like a sign on a store window saying "No shirt, no shoes, no service" -- but you walk in anyway with neither. You know your presence is unwanted, but are you actually trespassing? Is your presence not "authorized"? Or, should we demand a higher standard, such as when the store owner asks you to leave (and you refuse) that you now are trespassing/unauthorized?

What happens on the Internet is that websites routinely make public data they actually don't want people to access. Is accessing such data unauthorized? We saw that a couple days ago, where Twitter accidentally published their quarterly results an hour early on their website. An automated script discovered this and republished Twitters results to a wider audience, ironically using Twitter to do so. This caused $5-billion to drop off their market valuation. It's obviously unintentional on the part of the automated script, so not against the law, but it still makes us ask whether it was "authorized".

Consider if I'd been browsing Twitter's investor page, as the script did, and noticed the link. I would've thought to myself "this is odd, the market doesn't close for another hour, I'll bet this is a mistake". Would I be authorized in clicking on that link, seeing the quarterly results, and trading stocks/options based on that information? In other words, I know that Twitter made a mistake and does not want me to do so, but since they made the information public, this doesn't mean my access is unauthorized. What if I write a script to check Twitter's investor page every quarter, hoping they make a mistake again, thereby profiting from it?

As a techy, I often encounter similar scenarios. I cannot read the statute in order to figure out whether my proposed conduct would be in violation. I talk with many lawyers who are experts on the statute, and they cannot tell me if my proposed conduct is permissible under the statute. This isn't some small area of ambiguity between two clear sides of the law, this is a gaping hole where nobody can answer the question. The true answer is this: it depends upon how annoyed people will be if my automated script moves Twitter's stock price by a large amount.

You'd think that this is an obvious candidate for the "void for vagueness" doctrine. The statute is written in such a way that reasonable people cannot figure out what is permissible under the law. This allows the law to be arbitrarily and prejudicial applied, as indeed it was in the Weev case.

The reason for this confusion comes from the 1980s origin of the law. Back then, computers were closed, and you needed explicit authorization to access them, such as a password. The web changed that to open, public computers that required no password or username. Authorization is implicit. I did not explicitly give you authorization to download this blogpost from my server, but you intentionally did so anyway.

This is legal, but I'm not a lawyer and I don't know how it's legal. Some lawyers have justified it as "social norms", but that's bogus. It's the social norms now, but it wasn't then. If implicit authorization was the norm back then, then it would've been included in the law. The answer to that is "nerd norms". Only nerds accessed computers back then, and it was the norm for nerds. Now we have iPads, and everyone thinks they are a nerd, so nerd norms prevailed and nobody went to jail for accessing the web while social norms were changing.

But sometimes "iPad user norms" differ from "nerd norms", and that's where we see trouble in the cases involving Weev and Swartz. I could write a little script to automatically scrape all the investor pages of big companies, in case any make the same mistake Twitter did. I might get prosecuted because now I've done something iPad users consider abnormal: they might click on a link, but they would never write a script, so script writing is evil.

This brings me to the definition of "authorization". It should be narrowed according to "nerd norms". Namely, it should refer to only explicit authorization. If a website is public and gives things up while demanding authorization from nobody, then it's implicit that pretty much anything is authorized -- even when the website owners mistakenly publish something. In other words, following RFC2616 implicitly authorizes those who likewise follow that RFC.

I am not a lawyer, but Orin Kerr is. His proposal adds the following language. This sounds reasonable to me. It would clear up the confusion in my hypothetical investor page scenario above: because I'm bypassing no technological barrier, and permission is implied, I'm not guilty.

"to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer"

By the way, technically I'm asking for clarification. If lawmakers want to define "unauthorization" broadly to include all "unwanted" access, then that would satisfy my technical concerns. But politically, I want that definition defined the other way, narrowly, so that I'm not violating the law accessing information you accidentally made public, even though I know you don't want me to access it.


My second concern is with the penalties of the law. Currently we are seeing a 14 year old kid in Florida charged with a (state) felony for a harmless prank on his teacher's computer. There's no justification for such harsh penalties, especially since if they could catch them all, it'd make felons out of hundreds of thousands of kids every year. Misdemeanors are good punishments for youthful exuberance. This is especially true since 90% of those who'll go onto being the defenders of computer in the future will have gone through such a phase in their development. Youth is about testing boundaries. We should have a way of informing youth when they've gone to far, but in a way that doesn't destroy their lives.

Most of the computer crimes committed are already crimes in their own right. If you steal money, that's a crime, and it should not matter if a computer was violated in the process. There's no need for additional harsh penalties in an anti-hacking law.

Orin's proposed changes also include reducing the penalties, bringing things down to misdemeanors. I don't understand the legalese, but they sound good. From what I understand, though, there is a practical problem. Computer crime is almost always across state lines, but federal prosecutors don't want to get involved in misdemeanors. This ends up meaning that a federal law about misdemeanors has little practical effect -- or at least, that's what I'm told.

In the coming election, and issue for both Democrats and Republicans is the number of felons in jail in this country, which is 10 times higher than any other civilized country. It's a race thing, but even if you are white, the incarceration rate is 5 times that of Europe. I point this out because politically, I oppose harsh jail sentences in general. Being a technical expert is the reason for wanting the first change above, but my desire for this second change is purely due to my personal politics.


Summary

I am not a lawyer or policy wonk, so I could not possibly draft specific language. My technical concern is that the definition of "authorized" in the current statute is too vague when applied to public websites and needs to be clarified. My personal political desires is that this definition should be narrow, and the penalties for violating the law should be lighter.

War on Hackers: a Clear and Present Danger

A typical hacker, according to @Viss

President Obama has upped his war on hackers by declaring a "state of emergency". This triggers several laws that grant him expanded powers, such as seizing the assets of those suspected of hacking, or taking control of the Internet.

One one hand, this seems reasonable. Hackers from China and Russia are indeed a threat, causing billions in economic damage every year, by stealing money and intellectual property. This declaration specifically targets these issues. Presumably, in the next few weeks, we'll see announcements from the Treasure Department seizing assets from Chinese companies known to have stolen intellectual property via hacking.

But on the other hand, it's problematic. Declarations of emergency tend to be permanent. We already operate under 30 declarations of emergencies dating back to the Korean war. Once government grabs new powers, it tends not to give them back. Also, this really isn't an "emergency", the hacking it addresses goes back a decade. It's obvious corruption of the "emergency" provisions in the law for the President to bypass congress and rule by decree.

Moreover, while tailored specifically to the threats of foreign hackers, it ultimately affects everyone everywhere. It allows the government to bypass due process and seize the assets of anybody suspected of hacking. The federal government already widely abuses "asset forfeiture" laws, seizing a billion dollars annually. This executive order expands such activities (although "freezing" isn't quite the same as "forfeiture").

Of particular concern are "security researchers". The only way to secure systems is to attack them. Securing systems means pointing out flaws, which inevitably embarrasses the powerful, who then lobby government for assistance in dealing with these pesky "hackers".

The White House knows this is a potential problem, and clarifies that it doesn't intend to use this Executive Order to go after security researchers. But this is bogus. Whether somebody is a "good guy" or a "bad guy" is merely a matter of perspective. For example, I regularly scan the entire Internet. The security research community broadly agrees this is a good thing, but the powerful disagree. I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real -- giving the government the ability to declare my scans "malicious" and to seize all my assets. It's the Treasury Department who makes these decisions -- from their eyes, "security research" is indistinguishable from witchcraft, so all us researchers are malicious.

This last week, we saw a DDoS attack by China against a key Internet infrastructure company known as "GitHub". The evidence clearly points to the Chinese government as the culprit -- yet the President has remained silent on the issue. In contrast, the President readily spoke out against North Korea based on flimsy evidence. These new powers granted by the Executive Order do nothing to stop such an attack. With proposed laws, such as CISA surveillance expansion law, or the extensions to the CFAA, we see that the government is eager to obtain new powers, but reluctant to actually use the powers it already has to defend against hackers.

The reason the government is hesitant is that China is a thorny problem. North Korea is an insignificant country, so we bully them whenever it's convenient. In contrast, China's economy rivals our own. Moreover, trade intertwines our economies. Logical next steps to address hacking involve economic sanctions that will hurt both countries. What the government will do to address Chinese hacking then becomes a political question. No matter how many powers we give government, no matter how much we sacrifice privacy rights, stopping foreign hackers becomes a political question of foreign policy.

The conclusion is this: from the point of view of government, this Executive Order (and the follow-on actions by the Treasury Department) are a reasonable response to recent hacking. But the reality is that it's a power grab by government, granting them new powers to bypass our rights, that they are unlikely to ever give up. It's unlikely to solve the problem of foreign hacking, but will do much to expand the cyber police state.

Extracting the SuperFish certificate

I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. I discuss how down below. The consequence is that I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law.

Obama's War on Hackers

Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT
— Rob Graham (@ErrataRob) January 14, 2015

In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above (fictional) link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.

Two Minutes of Hate: Marriot deauthing competing WiFi

Do you stand for principle -- even when it's against your interests? Would you defend the free-speed rights of Nazis, for example? The answer is generally "no", few people stand for principle. We see that in this morning's news story about Marriott jamming (actually deauthing) portable WiFi hotspots in order to force customers to use their own high-priced WiFi.

The principle I want to discuss here is "arbitrary and discriminatory enforcement". It was the principle behind the Aaron Swartz and Andrew "weev" Auernheimer cases. The CFAA is a vague law where it is impossible to distinguish between allowed and forbidden behavior. Swartz and Weev were prosecuted under the CFAA not because what they did was "unauthorized access", but because they pissed off the powerful. Prosecutors then interpreted the laws to suite their purposes.

Do shellshock scans violate CFAA?

In order to measure the danger of the bash shellshock vulnerability, I scanned the Internet for it. Many are debating whether this violates the CFAA, the anti-hacking law.

The answer is that everything technically violates that law. The CFAA is vaguely written allowing discriminatory prosecution by the powerful, such as when AT&T prosecuted 'weev' for downloading iPad account information that they had made public on their website. Such laws need to be challenged, but sadly, those doing the challenging tend to be the evil sort, like child molesters, terrorists, and Internet trolls like weev. A better way to challenge the law is with a more sympathetic character. Being a good guy defending websites still doesn't justify unauthorized access (if indeed it's unauthorized), but it'll give credence to the argument that the law is unconstitutionally vague because I'm obviously not trying to "get away with something".

Hacker "weev" has left the United States

Hacker Andrew "weev" Auernheimer, who was unjustly persecuted by the US government and recently freed after a year in jail when the courts agreed his constitutional rights had been violated, has now left the United States for a non-extradition country:

Breathin' so free on non-extradition soil now. Breakup with USA is done now.
— Andrew Auernheimer (@rabite) September 14, 2014

Weev’s lawyers appear in court

Some observations from today’s appeal hearing of Weev  (the notorious case of someone convicted of accessing public info).

What was it?

Andrew "Weev" Auernheimer was convicted of conspiring to violate the CFAA, and was sentenced a year ago to 41 months in jail. His lawyers appealed, the prosecutors submitted a reply brief, his lawyers submitted a reply to the reply brief. Today they got in front of the three judges of the Third Circuit Court to fight it out. Each side got to talk for 15 minutes, and the judges peppered them with questions.

Third Circuit Court giggle

Yet again we have an example how the judicial system treats hacking like witchcraft. Lawyers submitting briefs to the court are required to have (the hacking equivalent of) a Catholic priest sprinkle Holy Water on the document to exorcise any demons or curses.

How Weev's prosecutors are making up the rules

Many of us believe that the conviction of Andrew "weev" Auernheimer proves that the system is corrupt, that the law can be arbitrarily applied to prosecute anybody. The rules are whatever the prosecutors say the rules are. There are one set of rules for the powerful, and another set for anybody who would challenge the powerful.

Today, prosecutors prove our theory correct. They submitted a 26,495 word brief in the appeal that does not conform to the Third Circuit's 14,000 word limit -- a limit that the defense struggled to fit within. In that brief, prosecutors arbitrarily redefined the Internet to prove that Weev (and friends) broke the rules. They liberally reinterpreted the rules of the Internet (the "protocols") to find Weev in violation -- while flaunting the rules of the court themselves.

Swartz was indeed persecuted, not prosecuted

In what's become a disturbing refrain of late, the crazy conspiracy theories of Internet activists have turned out to be right. The case against Aaron Swartz was more political persecution than criminal prosecution.

If you'll remember, Swartz was the activist who wanted to liberate scholarly journals. He took advantage of the policies at JSTOR (which stores journals) that allowed anybody from the MIT network unlimited access to the journals. Swartz simply hooked up to the free MIT campus WiFi (and later, Ethernet) and started downloading them. This explanation glosses over important details, of course, but these are the essentials of the case.

I'm hacking your website

A dream team of computer+law geeks have put together an appelant brief in Weev's defense. A major feature is that simply "unwanted" access doesn't mean "unauthorized" under the law: just because you don't like what I do doesn't necessarily make me a criminal.

For example, I use "AdBlock" to block advertisements from websites. Since websites earn money from advertisements, my free-riding with AdBlock is unwanted access. But is this conduct prohibited under the CFAA? I don't think so, but then, I wouldn't have thought Weev's (adding one to a URL) or Lori Drew's (violating ToS) conduct illegal either.

Nobody reads the ToS -- not even those who write them

GoGo Inflight is running a promotion right now giving you free Internet access on airplanes from your Blackberry phone/pad. Even if you don’t have a Blackberry device, you can still get the free service by changing your browser identifier to match a Blackberry (instructions below). Here’s the question: is spoofing your browser ID like this in order to get free Internet service illegal under laws like the CFAA ("Computer Fraud and Abuse Act")?

That’s an interesting debate, but there is a further twist: GoGo Inflight’s promotion violates their own Terms of Service (ToS). According to the ToS, you need a "user account" to use the service. However, the Blackberry promotion doesn't give you one, because it triggers off the browser ID. Thus, even if you have a valid Blackberry (and aren't cheating), you are still technically in violation of the Terms of Service.

No really, use the 5th Ammendment

The waitress at the bar is telling me she went to jail two years ago for a DUI, on her scooter, even though she passed all the sobriety tests. The reason she went to jail is because she admitted to having drunk a "couple of beers" before getting on the scooter.

What you should've said, I reply, is "I decline to answer that question on the grounds that it may incriminate me".

The debate over evil code

In the debate over “selling exploits” people haven’t defined what, precisely, an “exploit” is. The only definition is that they “know it when they see it”. In this post I’m going to describe something that isn’t clearly an exploit.

Back in 1998, I created one of the first “personal firewalls”, known as “BlackICE Defender”. We designed it to run on both Windows 95 and Windows NT. Win95 was the dead-end 16-bit operating that is no longer in use, WinNT is the progenitor of today’s Win7.

Context matters: we only appear to be blackhats

After the #Shmoocon cybersec conference, a bunch of us were hanging out in the bar playing “Cards Against Humanity”. The rules are just like the family game “Apples to Apples”, but with content that’s not so family friendly. For example, “Harry Potter erotica” which was the winning card for the suggestion “A new interactive exhibit that will expand Smithsonian's audience”.

An eavesdropper might conclude that we are a bunch of child molesters, murderers, rapists, or racists. Of course we aren’t. We are crass and jaded; we are only pretending to be horrible people.

Aaron's Law: repeal CFAA rather than amend it

I hereby give you complete authorization to access over a network (but not physically) any computer I own. Nothing you do is unauthorized or exceeds authorization in terms of the CFAA.

The solution fixing the "Computer Fraud and Abuse Act" is not to amend it but to get rid of it. The Internet is world-wide, 95% of hackers trying to break into your computers are beyond the reach of U.S. law. Rather than providing a meaningful deterrent to bad hackers, what the law really does is create a chilling effect for our own creative geniuses. Genius geeks from Steve Jobs to Aaron Swartz should feel free to push the boundaries of technology without prosecutors and juries second guessing them.

You are committing a crime right now

Are you reading this blog? If so, you are committing a crime under 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s because I did not explicitly authorize you to access this site, but you accessed it anyway. Your screen has a resolution of . I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information.

So we are all going to jail together.