Editing Aaron projects/CFAA

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<center>''Work in progress; please link to other work here'' <br/>
<center>''Work in progress; please link to other work here''</center>
[https://pad.textb.org/p/CFAA '''Draft of Principles'''] being edited online <br/>
Draft outline of replacement law underway</center>


;Goal: Let's decsribe what a full repeal & replacement of the CFAA[http://www.law.cornell.edu/uscode/text/18/1030] should look like.
;Goal: Let's prepare for a full repeal of the CFAA and replacement with sane law.
;Questions: How would we construct good law in these areas, from scratch?  
;Questions: How would we construct good law in these areas, from scratch?  
: How do different areas of law, policy, and internet governance view the law and its impact?   
: How do different areas of law, policy, and internet governance view the law and its impact?   
Line 14: Line 12:
Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online.  Authorization based on code, contract, social norms.  Legal frameworks used to push political means.  Career standards for prosecutors defined in political ways.  
Different parts of the story: National defense, cyber war, data sec, corporate law, contracts online.  Authorization based on code, contract, social norms.  Legal frameworks used to push political means.  Career standards for prosecutors defined in political ways.  


=== Background ===
== Background ==
; Aaron's Law
; Aaron's Law
* [http://www.dmlp.org/blog/2013/impact-aarons-law-aaron-swartzs-case Analysis from January], [https://www.eff.org/document/eff-cfaa-improvements EFF suggested changes]  
* [http://www.dmlp.org/blog/2013/impact-aarons-law-aaron-swartzs-case Analysis from January], [https://www.eff.org/document/eff-cfaa-improvements EFF suggested changes]  
Line 25: Line 23:
* [https://www.govtrack.us/congress/bills/113/hr2077 H.R. 2077] (Perlmutter bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
* [https://www.govtrack.us/congress/bills/113/hr2077 H.R. 2077] (Perlmutter bill; referred to House Judiciary subcommittee on Crime, Terrorism, Homeland Security, and Investigations)
* [https://www.govtrack.us/congress/bills/113/s1426 S. 1426] (Blumenthal bill; referred to Senate Health, Education, Labor, and Pensions Committee)
* [https://www.govtrack.us/congress/bills/113/s1426 S. 1426] (Blumenthal bill; referred to Senate Health, Education, Labor, and Pensions Committee)
=== Comparative Law ===


== Details ==
== Details ==
Line 44: Line 40:
*: Failure of proportionality
*: Failure of proportionality


=== Legal elements ===
== Legal issues ==
There are 7 planks to [http://www.law.cornell.edu/uscode/text/18/1030 18 U.S.C. § 1030]
* Violating TOS is not a crime: 
*: Chin in US v. Drew - an individual, violating a TOS without a script, is pretty clearly not a rime.
* Still used in a civil context.  


# Knowingly accessing a computer without access or exceeding access, and obtaining security, foreign relations, atomic info
* Lowers some of the penalties for crimes that produce little or no harm,  
#: rarely used, as it is substantively overlapped by other ares
* Delete a provision that is repeated elsewhere in the statute
# Intentionally accessing a computer without access or exceeding access, and in so doing obtaining "information," financial records, or U.S. government info.
*Clarifies once and for all that violating terms of service agreements is not a crime.
#: the biggest and most frequently used for access-and-downloading type offenses
# Accessing without authorization (not "exceeding") a US government owned or controlled computer
# Equivalent to the statute on [http://www.law.cornell.edu/uscode/text/18/1343 wire fraud], but replacing "wire" with "computer" and tweaking the details
#: Overlap with WFA, rather irrelevant in current environs
# Computer damage
#: three separate crimes ("damage" = impairment to integrity and availability of data; "loss" = reasonable cost of responding to offense, including costs of damage assessment)
#:: knowingly cause transmission of program and intentionally cause damage
#:: intentionally access a computer and as a result recklessly cause damage
#:: intentionally access a computer and as a result cause damage and "loss"
# Password Trafficking
# Extortion through use of computer


== Guiding principles ==
; Does 'authorization' make sense as the basis for such a law? 
: compare [https://necessaryandproportionate.org/text Necessary and Proportionate] principles
: As opposed to other corollaries re: trespass and access?


What substantive things should be in a rational computer crime law? 
; Aaron's Law status
* referred to the Committee on Crime, Terr, Homeland Security subcomm of Judiciary Committee (chair: Sensenbrenner)


; Parallelism with non-computer crime law


; Proportionate punishment
== Social issues ==


; Avoid confusion/overlap between different parts of the government : in terms of means and ways
; This shows confusion between different parts of the government : in terms of means and ways
* b/t different parts of the government
* b/t different parts of the government
* b/t different phil and pol goals
* b/t different phil and pol goals
* b/t social-good and infosec goals
=== Points of consensus ===
Based on conversations with folks at the '''Cambridge/Boston''' hack, these principles emerged as points of agreement. Other groups feel free to chime in as well.
==== Reasonable defenses ====
* '''Scope should be limited''' - the law should not run to the boundary of what we find ethical or moral. We want people to have freedom to "mess around" with the web (perhaps with some negligence-based liability if they cause actual damage). As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme.
** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations.
* '''Focus on bad ''access'', leave ''use'' to other laws''' - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases.
** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law.
* '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way.
* '''Consider technical effectiveness of site design''' for its intended use.  For code-based vulnerabilities and authentication measures, a "reasonable" standard may not be appropriate: defining what is "reasonable" may lead to unnecessary confusion.  But some consideration should be made to ensure that trivially-overcome measures are not  within the scope.
==== What should be unlawful ====
* '''Setting up and triggering an exploit''' - even if it was not done on that person's computer.  Hold the party intending to do the bad behavior culpable.  [ex: sharing a tinyurl that carries out a sql-injection]
* '''Circumvention of a code-based authentication measure''' - leaving proportionality for another discussion. This includes cracking, password guessing, or human-engineering password disclosure.
*: Once we get to this set of actions, we're in fraud-land.  [this still shouldn't be penalized more than non-electronic fraud]
* '''Exploiting a code-based vulnerability to obtain information''' should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack.
* '''Knowingly deleting or impairing the integrity or availability of the data''' should be unlawful if done intentionally or recklessly. Moving down to negligence or strict liability at a certain damage threshold is harder to say.
==== Uncertain areas ====
* '''Penetration testing''' is squishy.  An open call for bug bounties should be treated as consent to access the site (again, using other laws to govern bad uses)
* '''"Obtaining information from accidentally-open" sites''' is squishy.  E.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful.
=== Open questions ===
Feel free to suggest brief answers, pointers to where this is discussed.
; Does 'authentication' make sense as the basis for such a law? 
: As opposed to other corollaries re: trespass and access.  Compare historical ways of handling these issues.
: Is feigning authentication fraud? (when simply making up a new account; impersonating yourself, and not someone else)
; Where do the following edge cases fall?
* 'sockpuppeting' authentication where it's assumed you have one-account-per-user?
: This is rarely prevented clearly. 
: Not the worst thing to do; it's not the same as impersonating a real person
* Circumventing the auth process altogether?
: This tends to be pretty bad.  It's clearly defeating the system, when it requires finding a subtle exploit
: Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked)
; What's the ECTF doing?  Who could provide oversight? 
: (cf [http://www.technewsdaily.com/16445-fix-hacking-laws.html fix-hacking-laws essay] and Robert Graham's comment)
; Do MIT and other tech institutions care?
: See [http://swartz-review.mit.edu/node/284 this question] on MIT's Swartz Review site.


== Active proposals ==
== Active proposals ==


=== Aaron's Law ===
=== Patching existing law ===
''Lofgren & Wyden''
* Limit scope of "exceeding authorized access"
 
: Say: contractual violation can't be the basis for this
* Lower some of the penalties for crimes that produce little or no harm,
* Amend the Wire Fraud Act
* Delete a provision that is repeated elsewhere in the statute
: Say: contractual violation can't be the basis for this
*: Amend the Wire Fraud Act
* Clarify once and for all that violating terms of service agreements is not a crime.
*: NB -  Chin in US v. Drew - precedent that an individual, violating a TOS without a script, is pretty clearly not a crime.  But it is still always used as a threat to amplify perceived risk. 
*: Limit scope of "exceeding authorized access"
 
; current status
* referred to the Committee on Crime, Terr, Homeland Security subcomm of Judiciary Committee (chair: Sensenbrenner)
 
* lower penalties for crimes that produce little or no harm
* lower penalties for crimes that produce little or no harm
* cleanup: delete repeated provision, delete provision repeated in WFA
* cleanup: delete repeated provision, delete provision repeated in WFA
Line 148: Line 75:
; Fork the Law page, listing legal history and proposed changes
; Fork the Law page, listing legal history and proposed changes
* [http://forkthelaw.org/node/9 From mid-2013]
* [http://forkthelaw.org/node/9 From mid-2013]
=== Creating something new ===
; Manifesto
*A la necessary and proportionate manifesto created after PRISM: https://necessaryandproportionate.org/text
* Hack on this version: [https://pad.textb.org/p/CFAA CFAA replacement]
; Drafting example legislation?
=== Additional needed resources (1 hour projects) ===
* mapping out where the CFAA overlaps with existing law; identifying areas left untouched.
== Scenarios ==
: ''Add yours below:''
* ''War Games'' scenario: someone breaks into a secured machine, accesses government secrets, and uses them to wreak havoc
* Rooting a box: Someone finds a way to log into a server, has a way to gain root on the server, and executes arbitrary code on it. 
* DDOS: Someone finds a way to overload a server by using its public services very frequently, causing it to be unavailable for days.
* Social Engineering: Someone gaining access to systems via confidence approach or subterfuge.
* Access Credential Sharing: Sharing commercially acquired user credentials with others (i.e. Netflix login).
* Pseudonym Use/Fake Persona: Creating one or more access accounts using pseudonyms/manufactured persona in breach of website or service EULA.
* Using Access to Perform Identity Theft: Nonaurtorized access & distribution of personal or financial information by authorized users exceeding their granted access rights.
* Worm introduction: Engineering or introducing code to enable access to unauthorized data via autoreplication & propagation.
* ...
Please note that all contributions to Noisebridge are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see Noisebridge:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel Editing help (opens in new window)