The government has submitted a lengthy brief to the Third Circuit in response to the appeal of Andrew “Weev” Auernheimer following his conviction under the Computer Fraud and Abuse Act for embrassing AT&T by revealing a huge hole in its handling of iToys. And it’s making computer guys, like my pal Rob Graham, nuts.
The start of the brief goes to great lengths to describe how Andrew’s company, Goatse Security…
is not, to put it mildly, a traditional security research company.
By this, of course, they mean it was just a couple of guys having fun rather than a large industrial firm with thousands of employees. But the reality is that over the history of vulnerability research, the vast majority of disclosures have been by “non-traditional” security researchers. Certainly, Goatse Security was very strange as a whole, but the core concept of discovering a security and reporting it is as traditional as traditional gets.
The brief begins by smearing Weev because of his hacker sensibility, reflected in his sense of humor. They see nothing funny about it, and instead view the “non-traditional” ‘tude dangerous and indicative of his criminal bent.
As I read the government’s opening salvo, the strategy immediately crystalized: the government is selling its argument to judges, just as it earlier sold it to a jury. Lawyers use rhetoric to make a point, regardless of whether it comports with reality. On a good day, we can be persuasive even though we’re completely wrong because persuasiveness has less to do with accuracy than with confirmation bias.
The jury wasn’t composed of
computer hackers sophisticated computer users, so they were easy to persuade. Will the Third Circuit be the same?
Like Rob, Mike Masnick at Techdirt goes through the arguments in detail, noting the trick being played on the court that was successfully played on the jury:
From there, the DOJ starts playing dirty, pretending that because judicial law clerks can’t find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:
If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.
This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they’re “sophisticated computer users.” But a “sophisticated computer user” is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn’t find this info via a search engine is meaningless. No one is arguing that the info was available via search — but rather that it was incredibly wide open because of a security hole, and yes, you’d need some level of technical proficiency to figure it out, but as far as I know there’s no law making it illegal to be more technically proficient than a law clerk.
The government realizes that judges are notoriously unsophisticated when it comes to technology, and that they will turn to their law clerks under the gray beard assumption that every kid with an iPad knows everything there is to know about the internet. Having a Facebook account does not make one a sophisticated computer user, but it similarly doesn’t make a law clerk recognize the limits of his knowledge.
Law clerks tend to be smart kids, having done well in law school and harboring a belief that smart people are knowledgeable about everything. When the Circuit Judge asks to be schooled on a subject they know a little bit about, they will be flattered. Usually, the knowledge flow goes the other way, but this is an opportunity for the kid to teach the master a thing or two. So very tempting.
While the law clerks may indeed know how to wend their way across the interwebz with the best of their law school class, they are not necessarily
hackers sophisticated computer users. They may know a thing here and there, but just as hackers tend not to be particularly knowledgeable about the law (though they are usually pretty smart as well), lawyers’ knowledge of computers may not extend beyond knowing how to use their favorite shortcuts. So control-F lets you search text? Very handy for editing memos, but not really deep in computer-type stuff.
Having had a number of discussions with Rob about what Weev was up to, and how computer security experts function, and leaving those discussions pretty much as ignorant about truly sophisticated use of computers as I was when I began, the chasm between true expertise and the feigned sophistication employed by the government to back up its rhetoric become obvious.
Do the United States Attorneys who put their deepest thoughts into the government’s brief really believe what they wrote? Do they realize it’s all gobbledygook nonsense that at best has a surface shine designed to impress the hell out of people without a clue what they’re talking about?
Actually, I suspect they do, as the artfulness of the government’s brief, its smear of Weev, it’s flattery of law clerks’ brilliance, suggests that they indeed realize what they’re doing. Not that they understand computers or the internet any better than they did before, but they realize that they don’t understand enough about technology to have a viable view.
What they do know, and clearly know very well, is that they are playing to an audience that is similarly clueless, and are playing them masterfully. It’s hardly a stretch to imagine a court firm in its belief that it now possesses the knowledge of “sophisticated computer users,” and is thus prepared to decide that Weev was a bad dude.
And for computer security experts like Rob Graham, this means the work they do will now subject them to prosecution and imprisonment because a bunch of computer-dolts don’t get it, even though they think they do. And that will be the law that prevents those who are experts from revealing and fixing the holes in the internet that others leave behind and which puts all of us at risk.