Good to hear. I have quite a lot of respect for Kerr; he's one of the foremost experts in this area (the intersection of the 4th ammendment with computers and networks), and I think Weev's case is a serious injustice.
As an aside, I actually think it's clear that Weev's case is a vastly larger injustice than Aaron Swartz's case.
Swartz clearly violated the law in an act of willing and knowing civil disobedience. The law restricts people from unauthorized access to a network; Swartz and the MIT network admins played a game of cat and mouse as they kept banning him, and he kept finding new ways of gaining access to the network. There's no way to argue Swartz didn't realize that he was gaining unauthorized access to a network. At one point he was hiding his face from security cameras; there's no way to spin that as "oh, he thought he was doing something perfectly allowable!" And once caught, he was offered a reasonable plea deal.
In contrast, Weev...fairly clearly did not gain unauthorized access to a network. It was a publicly available website, and no one ever tried to stop him. His actions were at worse borderline, and yet he ended up with a sentence MUCH higher than Swartz.
I have a lot of sympathy for Swartz (not least because of his tragic suicide), but at the end of the day he knowingly and wilfully violated the law in an act of civil disobedience, and was offered a plea deal of less than a year. Weev probably did not violate the law, and was sentenced to years in prison.
Weev needs and deserves help. I had to cheer a bit when I saw Kerr was going to be helping him.
Honestly, both are/were/would have been bad test cases. With Swartz you've got two issues in the same case: downloading JSTOR articles and trying to get on MIT's network despite being banned. It's easy to support the former without supporting the latter and "muddled" makes for a bad test case.
With Weev, you've also got two issues. He was not just convicted of downloading things from AT&T's network. If that was the beginning and end of it, it would have made for a good test case. Instead, he downloaded tends of thousands of pieces of personal information then bragged on IRC how he was going to sell it to scammers to damage AT&T. That's not "civil disobedience." That's malicious.
Note that this is on appeal, so the jury's verdict on the "fraud in connection with personal information" charge is to a degree locked in. On appeal, you don't get to argue: "the jury was wrong, he didn't really intend to sell the information to scammers or to use the information maliciously." The jury is empowered to decide whether they believe the defendant's story or not, and on issues of credibility it's almost impossible to overturn the jury's finding on appeal.
Thus, you're left arguing from a very weak position: yes, the guy did commit fraud in connection with personal information, but changing letters in a URL isn't "illegal access of a network" so the CFAA charge should be dropped. So at best you're hoping for a remand to re-sentence without the CFAA conviction, and the fraud charge by itself carries a maximum penalty of more than 41 months anyway.
However, I think that it's worth arguing from that weak position. I've had a hard time articulating why I think that a) weev's online actions aren't illegal, and yet b) why weev should still be punished. But arguing from that weak position and getting the CFAA charge dropped would actually resolve this issue. My problem with what weev did, and why I think he should be published, is because of his malicious intent. So getting the CFAA charge dropped would be a win for everyone, but leaving the fraud charge in place would still appropriately punish weev (although I think 41 months is too high).
I think this case, along with Swartz's case, and the Alfred Anaya case that was on the HN front page last night [1] all serve to demonstrate that at this point, a criminal act is whatever a Federal prosecutor decides is a criminal act. In the Anaya case, the "crime" of which he was convicted wasn't even illegal under Federal law, and yet he's serving 24 years.
You have to be joking. You're linking to an article about a guy who installs secret compartments in vehicles for narcotics traffickers. Even after he finds a floor stuffed with $800,000 in cash, he continues to help them, repairing the compartment in one car and agreeing to install a compartment in another.
What is so hard to understand about the concept that something may or may not be a crime depending on context? Standing in front of a door? Not illegal in general. Standing in front of a door to keep police from being able to chase a bank robber? That's aiding and abetting and is and should be illegal.
Why should installing hidden compartments be illegal? As the article states, they are "a popular luxury item among the wealthy and shady alike". Is having large amounts of cash in your vehicle illegal?
Do you believe distributing BitTorrent and Tor should be illegal as well? After all, they're used for copyright infringement and other nefarious purposes, but also distributing Linux distibutions and avoiding totalitarian government surveillance.
If we considered providing everything that could possibly be used for illegal purposes "aiding and abetting" then nearly everyone would be criminals.
It's not having hidden compartments that's illegal. It's building hidden compartments for people when you know they will be used for illegal purposes. It's simple accomplice liability. See my rant on people ignoring context.
You don't know it will be used for illegal purposes, unless they explicitly tell you so. Otherwise, if you assume they will be used for illegal activities, for instance based on the appearance and behavior of the owner, you are discriminating and can be sued for that.
If you refuse someone service because he's black, you are wrong. If you refuse someone service because you think he's a criminal, you are wrong again. If you provide someone service despite thinking he may be a criminal, you are also wrong. It's a lose-lose situation. Best not offer services that may be used for criminal activities. /s
While you may be technically correct according to current "law" as defined by the government, I posit that there is absolutely nothing wrong with building said secret compartments under those circumstances. If you haven't initiated force or fraud against someone and violated their rights, you probably haven't committed a crime.
I think the 10k cash in person limit comes from the patriot act which is nationwide. Being the largest state, California does arguably near the most of the responsibility for the tragedy that is the patriot act but calling it the worst state is not fair.
Did California have a law prohibiting transporting large sums of cash before? Can you link me please?
I'm not saying Anaya wasn't an idiot — even willfully so — or that he shouldn't have been charged under California statute on traps and their being used to transport narcotics. The issue in his case isn't that he wasn't guilty of a crime; it's that he wasn't guilty of a Federal crime — both because there is no such Federal crime, and because he could perfectly well have been prosecuted, convicted, and sentenced under perfectly applicable State law.
Contrariwise, do you seriously believe that he deserves more than twice the sentence that the people who actually trafficked the drugs got? Do you actually think that your notional door-blocking person should have his case usurped by the Feds and get a stiffer sentence than the bank robber he aided and abetted?
Building hidden compartments for people in SoCal is stupid. Building them after you see 800k stuffed in a car is not just the sign of an idiot, it's the sign of someone consciously choosing to profit from facilitating criminal activity. And it can be totally valid to punish one person who helps out many criminals more harshly than one single criminal. It's also the case that sentences are handed down not just based on what the defendant did, but what the prosecutor could prove, and its quite possible that it Anaya left more evidence that could be used against him than a seasoned criminal.
>it's the sign of someone consciously choosing to profit from facilitating criminal activity. And it can be totally valid to punish one person who helps out many criminals more harshly than one single criminal.
It is now a matter of public record that HSBC, Wachovia, JP Morgan, and others have laundered huge sums of 'drug money' in operations ongoing for many years. So, for those individuals and companies who continue to do business with the banks involved, are they "consciously choosing to profit from facilitating criminal activity"?
Can a businessman refuse service to someone they suspect are involved in criminal activity?
Does a businessman have a duty to refuse service to someone they suspect are involved in criminal activity?
Malicious intent only satisfies one half of the definition of a crime -- the mens rea component. You also need an actus reus -- a guilty act. That's where this case falls down.
So anyone who scrapes facebook and gathers a bunch of email addresses and brags on IRC about how they could sell them to scammers is now liable for a federal felony?
If he didn't actually sell the information, is it really a crime? Is it really intent? I can type out or even copy/paste a bunch of words, but does that prove intent? The guy is a troll--it's expected he would try to get a rise out of people.
That strikes me as a very surprising position to take.
So you consider it a felony to enter in a browser some URL that has not been been "published". What exactly counts as published? For instance, if I created another page that links to it, is that "published"? Is it still "published" if I later delete that other page? Is it "published" if someone else somewhere in the world creates a page linking to it, but I never create one? What if I print a riddle in the newspaper, which says that the answer to the riddle is the URL in question... is that "publishing" it? What if it's a really HARD riddle? What if I don't print the riddle in the newspaper, but it's a really easy riddle... something like "just add one"?
I honestly do not think that whether you "publish" a URL should be used as an indicator of whether access is authorized. Every web server I have ever heard of has the ability to return a "401 Unauthorized" error code, and to do so or not based on the credentials of the person connecting. If I were writing the law, I would say that guessing a password to put in such a box, or accessing it with a malformed request used a bug in the server to bypass such a credential check would certainly qualify as "unauthorized access", but that "AT&T didn't bother to require a check before returning the data to any browser that asked for it" would be evidence that it was explicitly authorized.
It's absurdly reductionist to make arguments like this. There are lots of things that are okay or not okay based on context. Is it unauthorized to type the above into a URL bar? Almost certainly not. Might it be unauthorized if you type it into a URL bar, see that it contains private information that by its nature was probably not intended to be public, then do it 10,000 more times? Then that might be unauthorized.
There is no reason to reduce the world to absurd simplicities when even children would be able to distinguish between various courses of action.
Actually, that is exactly what Orin Kerr is arguing. Prior cases show that accessing a public URL, even if you enter specific IDs or similar, is NOT unauthorized access, neither is doing it multiple times or using a script.
The URLs were public to start with (so that the iPads could make use of it), he just went further than intended by AT&T, but that is not a crime (at least, that is what is argued).
I do have to disagree a bit with Orin there. Poking at an integer on a querystring and discovering that you can freely change it and get other people's results shouldn't be a crime, misdemeanor, felony, or otherwise. It's so easy that one can literally perform this "hack" by accidentally failing to copy and paste the last character of a URL somebody sent to you. If we're going to make that a felony every computer owner might as well just give up and report to the nearest prison forthwith, because you're all but doomed to commit crimes in the course of normal usage.
However, scripting that to do it many thousands of times and then collecting the information that results is a qualitative change of behavior. That's not proving a point, or being a responsible security researcher, that's something else.
I agree with the rest of his analysis, but a sufficiently large quantitative change can become a qualitative change just by sheer size.
> However, scripting that to do it many thousands of times and then collecting the information that results is a qualitative change of behavior. That's not proving a point, or being a responsible security researcher, that's something else.
What if you did it by hand? Where's the line between what's ok and what's not?
Ultimately the line is drawn based on what the evidence implies about intent. What does downloading 10 URLs by hand to get a proof of concept say about intent versus downloading 10,000 with a script?
If we're going to give "security researchers" license to test other people's systems without consent, shouldn't we at least have some understanding that such actions will be narrowly tailored to prove the necessary point?
It takes no longer to write a script to scan an entire range and return all valid results as it does to scan a specific set, and it avoids having to pick known good IDs.
You aren't giving anyone license anyone than the tide needs license to use the beach. You need to recognize that unpassworded sequential URLs are a vulnerability even if you shoot the messenger.
And thus, shooting the messenger, and justifying it, is evidence of someone who doesn't get "it".
> However, scripting that to do it many thousands of times and then collecting the information that results is a qualitative change of behavior
How is this different than using Facebook's graph URI endpoints ---- excepting the fact that Facebook publishes the schema?
What if Facebook had some URIs that were not covered in the schema? Are you then liable for a federal felony if you access them? Or are they liable for failing to protect personal information by not keeping it behind an encryption interface?
I just said it's a qualitative difference. I deliberately did not opine on the legality or the ethics, I simply reject the idea that we can say that there's no difference between a by-hand downloading of a couple of URLs and a massive by-script downloading of thousands+. As is so often the case, there's no bright shining line, but there is a line here, and trying to be reductionistic and claim there's no difference is, in my opinion, not a valid argument.
It may very well be the case that it should also not be illegal, or that we want the common sense solution where it's still "illegal" but not a criminal felony but rather a civil matter (illegal is not a binary flag, after all).
As I observe elsewhere, all I'm saying is that there's a qualitative difference, not that the qualitative difference implies illegality. Are you going to defend the proposition that there is no legal, moral, or philosophical distinction that can be made between Google and a guy downloading a web page once by hand?
Also, I've long been of the opinion that if we had somehow gotten to today with no search engines, and Google tried to start up today, that they would be slammed to the ground by lawsuits, which they would probably lose. I consider this a criticism of the law, not the search engines.
>. Are you going to defend the proposition that there is no legal, moral, or philosophical distinction that can be made between Google and a guy downloading a web page once by hand?
I'm not a lawyer so I can't speak directly to "legally" but I believe there shouldn't be a legal difference between a search engine loading a page and me doing it by hand. After all, how would I hand verify what my search engine is saying if doing so might be illegal?
>Also, I've long been of the opinion that if we had somehow gotten to today with no search engines, and Google tried to start up today, that they would be slammed to the ground by lawsuits, which they would probably lose. I consider this a criticism of the law, not the search engines.
You could be right and I would agree the law today is horribly screwed up.
No, not "Google pulling one page"... Google. The whole thing. We've been talking about the difference between grabbing one page and grabbing thousands+ of pages all along... are you reading what I'm actually saying or just knee-jerking here?
> Also, I've long been of the opinion that if we had somehow gotten to today with no search engines, and Google tried to start up today, that they would be slammed to the ground by lawsuits, which they would probably lose.
What exactly has changed in the law in the 15 years since Google started up? The CFAA is almost 30 years old...
Seriously - I think Weev is a complete Troll, and he was totally hacking AT&T - but I don't think his actions came anywhere close to criminal. I"m really happy to hear he has competent representation.
Honestly I am struggling to think of an action that
is ok to do once but illegal to repeat a thousand times - you make it sound like the bad businessmans theory - we make a loss on each item but make up for it in volume
In that case, either one may be littering, vandalism, or property destruction. While it would be wasteful and silly to pursue a prosecution for one occurrence, a single occurrence is still a crime.
Hilarious example, since both would involve trespassing and destruction of property. It's just that 10k would be enough to have it perused and one likely wouldn't.
Please tell me you're not in any powerful political position. You sound exactly like the kind of evil people in charge who are finding new ways to arrest people for things that weren't illegal before hand.
I'm curious as to why most technical issues on HN involving the law come down to silly black or white viewpoints? I thought this audience would be sophisticated enough to know that this type of thing isn't a binary either/or issue.
Are you purposefully ignoring the fact that the law relies on context to determine if you are acting in good faith or not? Or is everyone who reduces this issue to an either/or position doing so purposefully just because they hate the fact that there is nuance to the law which is much more subtle than the science most of us are schooled in?
I'm not sure if you are responding to me or not - tough to tell from the indent - but, I really am interested in people's viewpoints - no ulterior motive here.
Some people would say typing in their own article ID values into a URL bar is unauthorized, but not illegal. Some people would say that typing username ID values to get personal email addresses, is unauthorized, but probably not illegal. Some people might say writing a script to enter all combinations of userids to get username/email addresses on HN is illegal, but probably not a felony.
I was genuinely interested in hearing what people had to say, as I trust our audience here, and let their opinions shape mine.
basically if he looses the court. 404 page may result in getting orange jumpsuit and nice check to be paid. In my opinion leaving personal information accessible to general public (i.e. no authentication needed) is a crime. Letting journalists know is not a crime. In this case AT&T is responsible for misplacing personal data, and not the guy who had free access to it. In some ways it's really similar to Aaron Swartz case, as both guys found a way to get the data, and both got sued. I would suggest looking into this case more closelly as if he ends up in jail or pays a dime, a simple misuse of some companies website and/or public API (think Google Maps, etc.) Could land you in jail
The fact that a security mechanism is poor shouldn't mean that it doesn't create a legally enforceable boundary. If I tape my door shut instead of buying a proper lock, that doesn't give you the right to walk in.
Bad analogy. A door is an access control mechanism. A Uniform Resource Locator is not.
A more apt analogy would claiming that having your phone number not published in the phone book constitutes a legally enforceable boundary against being contacted by phone.
We can debate about whether URLs have elements of an access control mechanism or not, but if obscured URLs don't create a legally protect-able boundary, the argument should be because they're not an access control mechanism, not that they're a poor access control mechanism (which is the usual implication of "security through obscurity"). In other words, the argument should be about how clearly the boundaries are drawn, not how effective the security mechanisms are.
I don't publish my address in the phonebook or anywhere, but because you know that 4001 Example streeet is a house and 4003 Example street is a house, you're still able to solicit me at 4005 Example street.
Mr. Kerr is a standup guy. Not everyone agreed with his measured defense of prosecutorial conduct in Aaron Swartz's case (https://news.ycombinator.com/item?id=5053754) but he has always been firm in opposing the misuse of the CFAA on principled and constitutional grounds. That he's defending someone that even the Reddit crowd despised (for personal reasons) is a confirmation of Kerr's respect for principles.
Yes, that's what makes me quite trusting of his claimed motivation. Weev is one of the less sympathetic defendants you can find in this case in general, and is not aligned with Kerr's own politics or personality either (Kerr is generally a moderately conservative guy, in favor of law-and-order but with strong safeguards for liberty).
That leads me to suspect that Kerr is especially worried about the precedents here, much more than he's worried about Weev's own fate.
I guess what I mean is that as a purported figure of Internet freedom and federal overreach, weev is not a great poster boy. Usually, when you're in the position of picking battles to fight, as Kerr is, you want everything in your favor, and hell, why not a defendant that you have no problem being associated with. Kerr's insistence on turning back a flawed law apparently outweighs whatever distaste he might have for weev on a personal or political level. So, good on Mr. Kerr.
Many people can't imagine how what weev did is a crime according to the law, and comments in HN threads about legal issues seem to be based on the assumption that the legal system is a consistent set of rules, sort of like the axioms of mathematics, in which a certain question or problem is posed and by a correct application of the rules of the legal system it is possible to come to a definite conclusion about what the law says. However, there is an amazing paper which shows that in virtually every case, a "correct" application of law actually leads to different conclusions which contradict each other.
This excellent paper is by Karl N. Llewellyn and is called "Remarks on the Theory of Appellate Decisions and the Ruled or Canons about how Statutes are to be Construed"[1] I once read almost the whole thing, and the following quote from the first page sums up his main point pretty nicely.
"The major defect in [the legal system] is a mistaken idea which many lawyers have about it—to wit, the idea that the cases themselves in and of themselves, plus the correct rules on how to handle cases, provide one single correct answer to a disputed issue of law. In fact the available correct answers are two, three, or ten. The question is: Which of the available correct answers will the court select—and why? For, since there is always more than one available correct answer, the court always has to select."
IIRC, he discusses the role of precedent as an important aspect of deciding how to apply the law, but also the ability of a judge to decide to overturn a precedent for a wide variety of reasons. He also discusses the role played by the intention of law makers when passing law, which is ultimately a subjective judgment made by a person, and which is not spelled out in the actual written law itself.
The paper is considered something of a classic, and I would encourage everyone to take a look at it.
This, to me, is the totality of the case: AT&T said accessing that data was OK. If it wasn't they should have returned a 401 or challenged for further authentication.
Incrementing a phone number by one doesn't make it illegal to call it. If the person at the end then says "who are you" and you lie, then that's fraud. But if they just tell you something, there's no way anyone can claim that you obtained that information unlawfully.
Here's the problem with all of this: If you send a sufficiently vulnerable server a specially crafted request, you can get it to come back with "200 OK" and a list of everybody's credit card numbers. Conversely, if you're an employee of Foo, Inc. and you sign in to a secure server with your personal account and try to do something privileged, it's going to come back with "401 Unauthorized" and not give you anything even though you are actually authorized, and if you then sign in with your employee account it will allow you to do that thing.
As a general rule what the machine says has a very strong relationship with whether or not you're authorized to do something. The issue is that if you're not authorized then a properly functioning machine just won't let you do it, which means that it seems impossible for anyone to violate this law against a server that is working properly.
The only way anyone can be capable of breaking this law is if the server is not working properly and allows them to gain access without authorization. Which is why "unauthorized access" is such a vague and hopeless disaster. Going by the normal mechanism for determining whether you have authorized access, namely whether the server allows you to do something, would mean that no one could ever commit the crime, because either you never actually gain unauthorized access since you're prevented by a server with sufficient security, or you succeed in convincing the server to let you do something which under normal circumstances implies that you're authorized.
Seemingly the only way anyone would ever be convicted is based on a pile of circumstantial nonsense about how the defendant should have known they weren't authorized to do something that the server allowed them to do, even though normally you are authorized to do anything the server allows you to do.
So it becomes a de facto law against "doing bad things with a computer" -- not a specific prohibition against anything in particular, just something you stick to anybody who you don't like, because hey, if you did something "bad" then it wouldn't be authorized, right?
> If you send a sufficiently vulnerable server a specially crafted request, you can get it to come back with "200 OK" and a list of everybody's credit card numbers.
If, if, if, if. What Weev did was spoof what kind of client he was using. That's it. What you're suger coating here is using exploits to break into a secure system. That is, you encounter a secured system and find a way to circumvent that security. For the data Weev encountered was there any possible way to get a 401 response for the URLs?
>What you're suger coating here is using exploits to break into a secure system.
No. Because using "exploits" (not a legally defined term AFAIK) doesn't necessarily mean that access was unauthorized. If you're the sysadmin for a remote server that you suddenly discover you can't login to with your account and that people are complaining that it's sending spam, and you smash the stack on a vulnerable application running on the server in order to regain control and shut it down, I should hope that wouldn't be "unauthorized access" and subject to criminal penalties.
And then there's the fact that "exploit" is a fuzzy and undefined thing. Is changing "userid=4833" to "userid=4834" to get another user's account not an "exploit" but changing "userid=4833" to "userid=0" to get root access is? What if the maximum userid is 65535 and if you use "userid=65536" then it rolls back around and gives you root because it's equivalent to "userid=0" but doesn't get rejected like "userid=0" would? This is no way for a criminal law to operate.
>For the data Weev encountered was there any possible way to get a 401 response for the URLs?
Sure there was. If AT&T had configured their server properly then that's exactly what it would have given him. If I wanted to introduce some irony then I would have to ask you whether you were "blaming the victim" here.
I concede that it's a bit fuzzy at the moment, but my criteria would be that if a spider could have accidentally crawled this info then it can't be a crime.
>Sure there was. If AT&T had configured their server properly then that's exactly what it would have given him.
That's not a valid test. If a company decides they didn't want you to see something after the fact (as in this case) they can always just claim they didn't configured their servers how they meant to.
>If I wanted to introduce some irony then I would have to ask you whether you were "blaming the victim" here.
What blaming the victim? The victims were the people who's data got released. Since they trusted AT&T with it that would make AT&T responsible. Everyone is talking about Weev but chances are he wasn't the only person on the planet to know about this.
>I concede that it's a bit fuzzy at the moment, but my criteria would be that if a spider could have accidentally crawled this info then it can't be a crime.
I don't think that works as a test either. Spiders index whatever other websites link to. The URLs may have been trivial but if there were no public links to them then a spider wouldn't have followed them. And then on the other hand they would be on another website if anyone (like weev) had linked to them, which you can do just as easily with a link that will cause a buffer overrun, and the spider will then follow it and overrun the buffer. It's completely plausible for a search engine to provide you with a search hit which if you click on it will cause a buffer overflow on the destination server and give you root access to the machine, because some "hacker" posted such a link on their site and the search engine indexed it and put it in the database.
>That's not a valid test. If a company decides they didn't want you to see something after the fact (as in this case) they can always just claim they didn't configured their servers how they meant to.
That's what I'm saying. All prosecutions for "unauthorized access" are like that, because if the server had been configured properly then unauthorized access would be impossible, so when it's discovered that it was misconfigured after the fact, the server operator wants to go back and retroactively label the conduct as unauthorized even though their computer allowed it.
There is certainly a matter of degree as to how far you had to go out of your way to get the server to do something you want it to do, but that is such a hopelessly vague and meaningless line between legal and illegal actions that (as Prof. Kerr has argued) it's potentially unconstitutional, to say nothing of whether it makes for good policy.
>What blaming the victim? The victims were the people who's data got released.
Again, that's the point. The law is stupid. The culpable party here is AT&T for putting its customers' info at risk. The party being imprisoned is the one who publicized the vulnerability rather than the ones responsible for putting it into production. I don't know if I support actual criminal penalties just for operating a vulnerable server, but I certainly take issue with the idea that if you do that and then someone publicizes your incompetence, you should have the right to put them in prison for it based on some vague notion of having gone too far in proving the point.
See EF Cultural Travel BV v. Zefer, 318 F.3d 58 (1st Cir. 2003) (the fact that a website owner “would dislike” the use of an automated script “to construct a database” of information available from visiting the website does not render the use of the automated script an unauthorized access under the CFAA).
Interesting that a court has already opined this. I don't see any other basis on which one can define what constitutes unauthorized access, than whether the website owner would dislike it. I think, as you have argued, that a court looking for some more technical definition will find there isn't any that holds up under scrutiny.
Increment in the general sense just means to increase the amount. A more specific meaning is to increase using regular steps, that is, to select the next number in a sequence. The use of the word is not confined to i++ or i=i+1 or ++i.
Luhn is just a check digit, so you could define an increment function that adds one to the base number and then calculates the last digit. Or, you could just iterate over every possible check digit from 0-9.
This is fantastic news. Hopefully this gets overturned and narrows the scope of the CFAA to where the government can't put people in prison for exposing security flaws on unrestricted areas of the web.
Question for the local counsel: how much harder is Kerr's job made by entering only at the appeal stage, as opposed to if he had been representing Auernheimer from the beginning? e.g. are there issues/arguments he won't be able to bring up now that he could have earlier?
At the trial stage, you can argue matters of fact. Stuff like "my client was at home in bed when the events occurred" or "those teeth marks don't evem match his dog!"
Since we are now at the appeal stage, barring something huge, all the facts the trial court decided were true have to be assumed true. So he can't now argue that Weev didn't actually access AT&Ts servers. All he can discuss now is whether the court correctly applied the law to the facts it determined at trial, and that means...
...that it won't hamper Kerr at all. The facts here aren't disputed; everyone agrees on what Weev did, how AT&Ts servers were configured, where Weev was, where the servers were, how AT&T responded to the breach. The dispute is entirely down to how the court applied the law (or indeed, whether it was even in the right court), and that's stuff which is best addressed (in some ways, only addressable) at the appeal level.
TL;DR: It doesn't make Kerr's job harder at all; in fact he can only do his job at the appeal stage, as his concerns are very much with the trial courts decision, not with the facts the court based that decision on.
My only addition would be that things like what Weev's state of mind was when he did these things are matters of fact that will be assumed true on appeal. So in addition to "he didn't actually access the servers" you also can't argue "he didn't really intend to do this or that."
So if the Appeals court can only decide if the law was applied correctly, does that mean it would have to go to the Supreme Court in order to determine if the law is constitutional?
No, any court can decide if the law is applied correctly or decide that a law is unconstitutional -- in fact, the lowest level of court can overturn any law. They are, however, required to apply the law correctly, including follow precedent set by any courts superior to them.
Normally appeals courts only handle the question of whether the lower court applied the law correctly, and assume that the lower court interpreted the facts right. This is because normally (there are a few VERY rare exceptions) it is not legally permitted to appeal on the grounds that the court or the jury got the facts wrong... only on the grounds that the law was applied incorrectly.
No, any court can - in theory - declare a law or its application unconstitutional, but the lower courts are very reluctant to do so, and even appeals courts prefer to only do so in bright line cases. And I don't think this is; even if the court has grave reservations about the law, they'll likely punt and hope the Supreme Court figures it out.
Normally, you need to preserve arguments for appeal if they are related to evidence.
It's unclear which, if any, arguments have not been preserved.
However, at the same time in federal court, appeals courts generally have broad discretion to consider legal arguments not raised below, particularly if they are just about the law, not about some particular piece of evidence.
All this said, Kerr is only consulting/helping out AFAIK. He is not the arguing attorney (I hope). He's not really a litigator (he has about 3 years of experience in it, most of it from very early days of his career).
I am doubtful that his expertise would have really mattered at the trial stage.
You can either convince a judge of something, or you can't.
I don't think it matters because Kerr is just arguing that the district court interpreted and applied the law incorrectly. An appeals court has full power in these areas. It would only be a problem if they wanted to introduce facts or procedural/evidentiary arguments not presented to the trial judge, or if they want to overturn the trial court's decision on procedural/evidentiary/factual matters.
Some arguments have to be made at every level or can be lost (i.e. 'preserved for appeal'). It looks like in this case the issues Kerr wants to appeal have not been lost. In any event the appellate stage is a more natural fit for an academic than the trial stage.
I'm all for the representation, but I'm against the trolling nature of HN and alike.
Look at the comments posted the other day. You hated this kid. And still hate him. Only because he claimed to be bigger than he thought he was, which is true.
But, an injustice was still done. Yes, the guy is a tool. A big tool. And he's lucky to have this opportunity. But grow some balls HN. Either flame him again, or apologise, because now saying "Yes he was mistreated" is just flawed.
I never commented on previous weev stories but I think it is completely rational to believe both that he's a giant asshole and also that he was mistreated by receiving a huge prison term for something that I can barely see as a crime, let alone a serious one.
Where's the flaw in thinking both of these things?
Wildly extrapolating from current trends : (Old, out of touch, heavy handed government officials, increasing complexity of technology landscape, anonymous, bitcoin, various governments creating secret "cyber-war" units, stuxnet etc..) we're heading to a breakdown and reconfiguration of the entire power balance between the "lawyer-types" who run the government now and the hacker types who are mostly relegated to the sidelines of the society for now.
I remember seeing footage of a congressional sessions (just after SOPA was sidelined) where the phrase "let's call in the nerds" was used repeatedly. Then there's crap like this http://www.volokh.com/2013/03/13/i-dont-really-understand-wh...
This is not a sustainable power structure and it's going to change. Let's hope the transition is peaceful and gradual for everybody's sake.
You think this is new? DoD delegated "Information Warfare" (what would now be called 'cyberwar') duties to NSA in 1997.
In fact, the reconfiguration of the power structure is explicitly touched upon in NSA's own journal Cryptolog, in the Spring 1997 issue (Vol. XXIII, No. 1) -- http://cryptome.org/2013/03/cryptologs/cryptolog_136.pdf.
>>>> Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.
Why is it important? If, as Orin Kerr claims, emails were public information, so were names and passwords, if stored under the same scheme. So if he accessed names and passwords, it would be also authorized access by the same logic. But it seems to me somehow Orin Kerr feels the weakness in this argument. Since he doesn't really expects people to believe that if you find a hole in a site that allows downloading account passwords via exploiting some vulnerability in HTTP server sending it some specially crafted data - he feels that it is necessary to emphasize that passwords weren't accessed. But many people consider their personal email no less private than their password - so if it wasn't OK to take the password (and by emphasizing that no passwords were taken Orin Kerr seems to implicitly admit it would be important if the passwords were taken) then it also wasn't OK to take the emails.
On the question of felony though he may have a point. Felony is a grave crime that renders the criminal second-class citizen long after the prison term has been served. I think for non-violent crime that did not result in actual grave harm it is too much, and while I remain unsympathetic to Auernheimer's person, I think if Orin Kerr succeeds in somehow reducing it to lesser grade (or cause a change in the law that leads to that) it would be great.
I'm not whining about downvoting, I'm whining about people not willing to participate in proper discussion but still voting. What's the point in the whole system then?
Go back to 4chan or reddit please. The law isn't your personal playground to arrest people you don't like. Accessing a public URL isn't a crime. Nor is being an asshole (of which you should be very glad!).
So the authorities should charge him with harrassment, privacy invasion, extortion, copyright infringement (of the photo(s)) whatever is applicable for the things that are described in that article (or anything else) that he has done.
Do not sentence him to 41months for the fact that AT&T breached its customers privacy and Weev let the press know or for accessing unprotected URLs.
As an aside, I actually think it's clear that Weev's case is a vastly larger injustice than Aaron Swartz's case.
Swartz clearly violated the law in an act of willing and knowing civil disobedience. The law restricts people from unauthorized access to a network; Swartz and the MIT network admins played a game of cat and mouse as they kept banning him, and he kept finding new ways of gaining access to the network. There's no way to argue Swartz didn't realize that he was gaining unauthorized access to a network. At one point he was hiding his face from security cameras; there's no way to spin that as "oh, he thought he was doing something perfectly allowable!" And once caught, he was offered a reasonable plea deal.
In contrast, Weev...fairly clearly did not gain unauthorized access to a network. It was a publicly available website, and no one ever tried to stop him. His actions were at worse borderline, and yet he ended up with a sentence MUCH higher than Swartz.
I have a lot of sympathy for Swartz (not least because of his tragic suicide), but at the end of the day he knowingly and wilfully violated the law in an act of civil disobedience, and was offered a plea deal of less than a year. Weev probably did not violate the law, and was sentenced to years in prison.
Weev needs and deserves help. I had to cheer a bit when I saw Kerr was going to be helping him.