How The Government Explains The Internet

The government has submitted a lengthy brief to the Third Circuit in response to the appeal of Andrew “Weev” Auernheimer following his conviction under the Computer Fraud and Abuse Act for embrassing AT&T by revealing a huge hole in its handling of iToys.  And it’s making computer guys, like my pal Rob Graham, nuts.

The start of the brief goes to great lengths to describe how Andrew’s company, Goatse Security…

is not, to put it mildly, a traditional security research company.

By this, of course, they mean it was just a couple of guys having fun rather than a large industrial firm with thousands of employees. But the reality is that over the history of vulnerability research, the vast majority of disclosures have been by “non-traditional” security researchers. Certainly, Goatse Security was very strange as a whole, but the core concept of discovering a security and reporting it is as traditional as traditional gets.

The brief begins by smearing Weev because of his hacker sensibility, reflected in his sense of humor. They see nothing funny about it, and instead view the “non-traditional” ‘tude dangerous and indicative of his criminal bent.

As I read the government’s opening salvo, the strategy immediately crystalized: the government is selling its argument to judges, just as it earlier sold it to a jury.  Lawyers use rhetoric to make a point, regardless of whether it comports with reality.  On a good day, we can be persuasive even though we’re completely wrong because persuasiveness has less to do with accuracy than with confirmation bias.

The jury wasn’t composed of computer hackers sophisticated computer users, so they were easy to persuade.  Will the Third Circuit be the same?

Like Rob, Mike Masnick at Techdirt goes through the arguments in detail, noting the trick being played on the court that was successfully played on the jury:

From there, the DOJ starts playing dirty, pretending that because judicial law clerks can’t find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:

 If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.

This is really obnoxious.  The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they’re “sophisticated computer users.”  But a “sophisticated computer user” is quite different from a security researcher or a higher level technically proficient user.  The fact that they couldn’t find this info via a search engine is meaningless.  No one is arguing that the info was available via search — but rather that it was incredibly wide open because of a security hole, and yes,  you’d need some level of technical proficiency to figure it out, but as far as I know there’s no law making it illegal to be more technically proficient than a law clerk.

The government realizes that judges are notoriously unsophisticated when it comes to technology, and that they will turn to their law clerks under the gray beard assumption that every kid with an iPad knows everything there is to know about the internet.  Having a Facebook account does not make one a sophisticated computer user, but it similarly doesn’t make a law clerk recognize the limits of his knowledge.

Law clerks tend to be smart kids, having done well in law school and harboring a belief that smart people are knowledgeable about everything.  When the Circuit Judge asks to be schooled on a subject they know a little bit about, they will be flattered. Usually, the knowledge flow goes the other way, but this is an opportunity for the kid to teach the master a thing or two. So very tempting.

While the law clerks may indeed know how to wend their way across the interwebz with the best of their law school class, they are not necessarily hackers sophisticated computer users. They may know a thing here and there, but just as hackers tend not to be particularly knowledgeable about the law (though they are usually pretty smart as well), lawyers’ knowledge of computers may not extend beyond knowing how to use their favorite shortcuts. So control-F lets you search text?  Very handy for editing memos, but not really deep in computer-type stuff.

Having had a number of discussions with Rob about what Weev was up to, and how computer security experts function, and leaving those discussions pretty much as ignorant about truly sophisticated use of computers as I was when I began, the chasm between true expertise and the feigned sophistication employed by the government to back up its rhetoric become obvious.

Do the United States Attorneys who put their deepest thoughts into the government’s brief really believe what they wrote?  Do they realize it’s all gobbledygook nonsense that at best has a surface shine designed to impress the hell out of people without a clue what they’re talking about?

Actually, I suspect they do, as the artfulness of the government’s brief, its smear of Weev, it’s flattery of law clerks’ brilliance, suggests that they indeed realize what they’re doing.  Not that they understand computers or the internet any better than they did before, but they realize that they don’t understand enough about technology to have a viable view.

What they do know, and clearly know very well, is that they are playing to an audience that is similarly clueless, and are playing them masterfully.  It’s hardly a stretch to imagine a court firm in its belief that it now possesses the knowledge of “sophisticated computer users,” and is thus prepared to decide that Weev was a bad dude.

And for computer security experts like Rob Graham, this means the work they do will now subject them to prosecution and imprisonment because a bunch of computer-dolts don’t get it, even though they think they do.  And that will be the law that prevents those who are experts from revealing and fixing the holes in the internet that others leave behind and which puts all of us at risk.

9 comments on “How The Government Explains The Internet

  1. Jordan

    “This Honorable Court, who is quite wise, extremely brilliant, and would probably make quite a bit of money hanging a shingle at our prestigious law firm once Your Honor is retired from the bench, surely must understand that our argument is solid.”

    Would that be proper in a brief?

    Just curious…

  2. Black

    If they don’t thank the dude for pointing out their security problem… rather, they prosecuted him, they are not the company to do business with.

  3. Fubar

    In your July 9, 2013 article you linked above, you wrote:

    The defense argument is that when someone leaves their stuff in front of a picture window, passersby commit no crime by looking in and seeing what the person put on display. Neither analogy strikes me as fully satisfying.

    If I may respectfully disagree, I find the defense analogy directly on the money.

    I don’t consider myself an expert on teh intarwebz, but I do know that if one sets a directory’s permissions to allow the world to read it, then the world can and will read it. Computers don’t have a DWIM (“Do What I Mean”) instruction. The responsibility to set access permissions to conform with the programmer’s wishes lies solely with the computer’s programmers, in this case, ATT.

    All Weev did was what ATT permitted the entire world to do, what G**gle does to webservers a zillion times every day. Weev “took” nothing. He read what ATT permitted to be displayed to the entire world.

    The prosecution is peddling pure sophistry. Actually “sophistry” is too long a word at 9 letters. An 8 letter word beginning with “b” describes both their argument and the prosecution, fully.

    1. SHG Post author

      Well, then it’s unfortunate that you aren’t a 3d Circuit judge, as the responding argument, that just because someone leaves a door unlocked doesn’t mean anyone can walk in and take whatever they like, seems to play better with people who don’t share your view.

      1. Fubar

        Indeed. Which problem is IMHO rampant in computer related cases: stretched analogies. Unfortunately I know no legal rule of interpretation that requires the use of the least stretched analogy if analogies are to be used at all. I certainly agree it’s best that no analogy be used.

        Analogies are like rubber bands. If you stretch them too much, they break.

        1. SHG Post author

          You haven’t been around here too long, but as I’ve written many times, I am not a fan of analogies when it comes to extrapolating law to the internet or computers. It just perpetuates bad law and makes the guy with the analogy that strikes the judge’s fancy best the winner. No. I’m not a fan at all.

  4. Grant Gould

    Reminds me depressingly of patent law, where the mythical “Person Having Ordinary Skill in the Art” of any field whatsoever invariably turns out to be suspiciously similar to a clever clerk with a day of reading wikipedia, whereas actual practitioners of the field are merely performing “purely ministerial matters” and beneath notice.

Comments are closed.