To me that reads less as "this is legal" and more as "this is illegal, but we (the executive branch of the government) will be nice and not go after you for it as long as we think you're a good guy". That's (arguably) better than nothing, but not exactly an ideal way to structure our justice system in my opinion.
Yes, but I don't see a better solution. If we make "security research" legal, then any hacker can just say "oh I was just going to disclose my findings to them".
Knowing the audience of this forum, you’re probably American and under 35. You have lived your whole life with an inoperable legislator. The US Congress, through a mixture of time-honored traditions with unfathomable externalities (there can never be more than this amount of representatives) and disinterested sports-like politics, is unable to print new laws in a reactive fashion. This means that kludges, with their own unfathomable externalities, look like sane solutions. They’re not. A functioning democracy would set up a legal framework for ethical research.
Not really, many professional researchers notify law enforcement when engaging in something that could be viewed as illegal or generate calls to the police.
What should happen is the addition of a "reasonable" standard and using existing case law policy positions to not prosecute people who have a reasonable basis supporting their claim of security research.
Instead we'll be left with the lazy lawmakers doing nothing and the executive saying they'll prosecute only the people who "deserve" it.
Any time you see that word you can be pretty sure that the matter under consideration is a fact question for the jury. The reason you hate that word is because you prefer hard and fast, bright line rules. That’s fine, I do too.
Reasonable just means there’s no good way to have a bright line rule and we have to consider these questions one at a time, in context.
Given that most cases never go to trial, and the possibility of long prison sentences and large fines are used as threats against individuals, the idea that a jury might find it "reasonable" is small solace to someone facing multiple charges of violating the CFAA, with corresponding jail time and fines. Weev was sentenced to 3.4 years of prison time and a fine of $73,000 for the crime of downloading a sequentially numbered unprotected data set. Though the sentence was later reduced, he still went to prison for a non-zero amount of time.
The prosecutor has a vested interest in making you look like a bad person. Even if there is no evil in your heart, they will dig into your history and find some dirt, then lie and twist your words to make you into some sort of evil hacker, so that the "reasonable" people on your jury, seeing the prosecutor's version of you, is going to think you deserve prison time.
Is the inference here that the evil in weev’s heart was put there by a criminal prosecutor? That was quite a trick.
It’s a real shame that weev didn’t have someone who was in his corner who was interested in making him look completely innocent. It seems like the system is rigged!
The use of "reasonable" in generally used to qualify some standard of behavior or conduct that is expected from individuals in specific situations. Because "reasonable" is inherently subjective, the responsibility for making the determination is (generally) passed over to a jury who will weigh what the prosecution and defense have presented which entails previous cases, the specific fact pattern of the case being deliberated, etc.
There are also situations where an actual judge makes the determination but generally, in a criminal context, it's up to a jury.
I don’t think you’re viewing it quite correctly. Reasonableness standards usually exist in order to funnel legal compulsion into a narrower range than would exist without them. It can bracket out behavior that to the average, ordinary, everyday member of that particular community would be extreme on one end or the other. You generally don’t want the law to require people to behave in extraordinarily heroic or extraordinarily cautious ways compared to how an ordinary person under similar circumstances would act. And “ordinary” here is also context-sensitive. What’s reasonable for an ordinary teenager may be extremely impulsive or foolish for an ordinary adult. Or what’s reasonable for an ordinary expert in a field may be wildly dangerous, say, for an ordinary layman.
All that said, though, reasonableness standards exist all over the law and don’t all necessarily serve the same purpose or function exactly in the same way, when you get into the weeds.
Similar in flight rules: one cannot fly a paraglider over "congested area". But what is "congested area" is intentionally not defined in the rules, and left up to judges to decide for each case separately.
Because if FAA tries to come up with a definition, there will always be weird unjust corner cases. Or just ban the paragliders whatsoever. I think the current ambiguity is the best compromise.
Judges typically consider matters of law. Usually “reasonable” is a cue that you are discussing a matter of fact, which is the province of the jury.
Sometimes you will have something called a bench trial, where it is agreed that the judge will also serve the role of the fact finder, and there will be no jury.
> Usually “reasonable” is a cue that you are discussing a matter of fact, which is the province of the jury.
And then there are motions for a JMOL (see FRCP 50), where a judge has to decide whether a “reasonable jury” could have a legally sufficient basis to find in favor of a party.
I generally hate it too. But it is better than "it's illegal, but we won't prosecute researchers". Note that "researchers" is also undefined. Reasonable would be one step up for the even worse status quo.
Well, the thing about making security research legal is that the law can outline what is legal and illegal security research, instead of leaving it in a grey area of a policy statement that may change at any time without notice, or from a political agenda.
A well executed law change will make it very clear where the line is to get into illegal territory and would likely include industry feedback in the drafting. The downside is it could also go the other way, policy changes are executed by politicians who likely have a fairly poor grasp of the tech and industry, and could leave the policy in a worse shape until tested by the court system.
If the law were to say outline steps the hacker must do, barriers that can't cross, it may actually make it harder for a hacker to say I was just doing research.
Laws are written by legislators, not the Department of Justice. An administrative decision by the executive branch does not change that fact. Accessing a computer system without explicit authorization or "hacking" is a federal crime. If you "hack", you can be charged with a felony for doing so at the discretion of federal prosecutors. The law isn't some magical too-incomprehensible-for-mortals text requiring magicians and soothsayers to interpret _literally_ every single clause and statement for you. As an adult citizen of a country (with an IQ above room temperature), you should be able to correctly interpret statements like the above, as was done by the person to whom you replied.
