Editing Aaron projects/CFAA
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
<center>''Work in progress; please link to other work here'' <br/> | <center>''Work in progress; please link to other work here'' <br/> [https://pad.textb.org/p/CFAA Draft of Principles] being edited online <br/> Needed: Draft outline of replacement law, good law to emulate</center> | ||
[https://pad.textb.org/p/CFAA | |||
Draft outline of replacement law | |||
;Goal: Let's | ;Goal: Let's prepare for a full repeal of the CFAA and replacement with sane law. | ||
;Questions: How would we construct good law in these areas, from scratch? | ;Questions: How would we construct good law in these areas, from scratch? | ||
: How do different areas of law, policy, and internet governance view the law and its impact? | : How do different areas of law, policy, and internet governance view the law and its impact? | ||
Line 66: | Line 64: | ||
What substantive things should be in a rational computer crime law? | What substantive things should be in a rational computer crime law? | ||
=== Positive principles === | |||
(''see the draft'') | |||
; Parallelism with non-computer crime law | ; Parallelism with non-computer crime law | ||
Line 71: | Line 72: | ||
; Proportionate punishment | ; Proportionate punishment | ||
=== Negative principles === | |||
; Avoid confusion/overlap between different parts of the government : in terms of means and ways | ; Avoid confusion/overlap between different parts of the government : in terms of means and ways | ||
* b/t different parts of the government | * b/t different parts of the government | ||
Line 79: | Line 82: | ||
Based on conversations with folks at the '''Cambridge/Boston''' hack, these principles emerged as points of agreement. Other groups feel free to chime in as well. | Based on conversations with folks at the '''Cambridge/Boston''' hack, these principles emerged as points of agreement. Other groups feel free to chime in as well. | ||
* '''Scope should be limited''' - the law should not run to the boundary of what we find ethical or moral. We want people to have freedom to "mess around" with the web (perhaps with some negligence-based liability if they cause actual damage). As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme. | * '''Scope should be limited''' - the law should not run to the boundary of what we find ethical or moral. We want people to have freedom to "mess around" with the web (perhaps with some negligence-based liability if they cause actual damage). As with media law and "bad journalism", copyright and "plagiarism," the law should leave the edge cases for the community to set up a moral/normative/shame-oriented punishment scheme. | ||
** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations. | ** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations. | ||
* '''focus on bad ''access'', leave ''use'' to other laws''' - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases. | |||
* ''' | |||
** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law. | ** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law. | ||
* '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way. | * '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way. | ||
* '''Circumvention of a code-based authentication measure''' should be unlawful (leaving proportionality for another discussion). This includes cracking, password guessing, or human-engineering password disclosure. | |||
* '''Exploiting a code-based | |||
* '''Knowingly deleting or impairing the integrity of the work''' - probably with some degree of intent | |||
* '''penetration testing''' is squishy - an open call for bug bounties should be treated like consent to access the site (again, using laws govern bad uses) | |||
* '''"accidentally open" sites is squishy''' - sites that were supposed to be behind an authentication layer but do not. | |||
* '''Circumvention of a code-based authentication measure''' | |||
* '''Exploiting a code-based | |||
* '''Knowingly deleting or impairing the integrity | |||
* ''' | |||
* '''" | |||
=== Open questions === | === Open questions === | ||
Line 120: | Line 108: | ||
: This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit | : This tends to be pretty bad. It's clearly defeating the system, when it requires finding a subtle exploit | ||
: Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked) | : Can be less bad when a system has an auth system but doesn't use it (e.g. it's never checked) | ||
; What's the ECTF doing? Who could provide oversight? | ; What's the ECTF doing? Who could provide oversight? | ||
: (cf [http://www.technewsdaily.com/16445-fix-hacking-laws.html fix-hacking-laws essay] and Robert Graham's comment) | : (cf [http://www.technewsdaily.com/16445-fix-hacking-laws.html fix-hacking-laws essay] and Robert Graham's comment) | ||
== Active proposals == | == Active proposals == | ||
Line 159: | Line 145: | ||
* mapping out where the CFAA overlaps with existing law; identifying areas left untouched. | * mapping out where the CFAA overlaps with existing law; identifying areas left untouched. | ||