Rob Graham: The Best of Intentions

My computer literate buddy, Rob Graham, did the sort of thing knowledgeable geeks do.  Computer voodoo.

In order to measure the danger of the bash shellshock vulnerability, I scanned the Internet for it. Many are debating whether this violates the CFAA, the anti-hacking law.

The answer is that everything technically violates that law. The CFAA is vaguely written allowing discriminatory prosecution by the powerful.

The Computer Fraud and Abuse Act is a disaster, though it’s unclear whether the fault is with the law itself or Congress’ failure to update the law, enacted in 1986, when computers existed mostly as stand alone contraptions.  There was no internet, no world wide web.  Heck, even Gopher was still a twinkle in Mark McCahill’s eye.

The problem with the law is that it was written in the 1980s before the web happened. Back then, authorization meant explicit authorization. Somebody first had to tell you “yes, you can access the computer” before you were authorized. The web, however, consists of computers that are open to the public. On the web, people intentionally access computers with the full knowledge that nobody explicitly told them it was authorized. Instead, there is some vague notion of implicit authorization, that once something is opened to the public, then the public may access it.

Unfortunately, whereas explicit authorization is unambiguous, the limits of implicit authorization are undefined.

A key component of the CFAA is that it prohibits “intentional” unauthorized access, which Rob argues is too vague and ambiguous to provide a meaningful limitation to those, like him, who spend their days questioning the internet’s security.

Lawyers think that the word “intentional” in the CFAA isn’t vague. It’s the mens rea component, and is clearly defined.

Lawyers think this is clear, but it isn’t. We know Weev’s state of mind. We knew he believed his actions were authorized. For one thing, all his peers in the cybersecurity community think it’s authorized. For another thing, he wouldn’t have published the evidence of his ‘crime’ on Gawker if he thought it were a crime.

Yet, somehow, this isn’t a mens rea defense. You can read why on the Wikipedia article on mens rea. This is merely the subjecive test, but the courts also have an objective test. It’s not necessarily Weev’s actual intentions that matter, but the intentions of a “reasonable person”. Would a reasonable person have believed that accessing AT&T’s servers that way was unauthorized?

Curiously, while Rob appreciates that intentional is the most stringent of mens rea requirements, he sees it as sword instead of a shield,  But reading his words, one can begin to see why, and where he goes astray.  He writes of Weev Auernheimer, “[w]e know Weev’s state of mind.”  Do we?  We know what Weev says, and we know what Weev did. But no one ever knows another person’s state of mind. Not for real.

What “intentional,” as a mens rea requirement, means is that a person intends the natural consequences of his acts.  There could be a great many reasons, purposes, to an act, but the law accepts the notion that a person intends to do what he does.  It’s by no means conclusive, in that a defendant can refute the argument by testifying about his real purpose, but that shifts the burden to the defendant to explain.  That has its own inherent problems, as the defendant is then open to examination about other things as well, which he may prefer not to testify about.  Or his bad history. Or his bad attitude. Or any number of other things that won’t play well with a jury.

Non-lawyers see intention as normal people; what we mean is up to us, not to someone else to impute despite us.  And in real life, it’s a good point.  But if that was the case, then no prosecutor could ever prove intent if a defendant refused to testify.  While the prosecutor can prove conduct, and maybe statements to others, that’s as far as he can go.  He’s no more capable of seeing what  is really going on in another person’s head as anyone else.

In legal terms, this means that the mens rea for the CFAA is actually “strict liability”. Your actual intentions are irrelevant, because it’s the intentions of the ignorant that matter. And the ignorant think anything other than clicking on links is unauthorized. Hence, editing the URL field is “intentional unauthorized access”.

What we have is something akin to the Salem Witch Trials, where a reasonable jury of their peers convicted people for practicing witchcraft. To the average person on the street, computers work by magic, and those who do strange things are practicing witchcraft. Weev was convicted of witchcraft, and nothing more.

This is more revealing, as the problem with the interpretation of intentional isn’t really about intent, but about who is inferring intent from conduct.  What is obvious to a guy like Rob, or his peers of knowledgeable voodoo practitioners who work under the name InfoSec, looks very different to a bunch of dopes who think computers and the internet happen because of witchcraft.

We, and I include myself in this group, are too friggin’ clueless to understand either what guys like Rob are doing or why.  Our grasp of intentions is based on our frame of reference, and our frame of reference is, to be kind, so blitheringly stupid and simplistic that we can’t begin to understand what they’re doing or why.

But to blame the word “intentional” is to misdirect one’s angst.  Maybe we should have specialized juries who are sufficiently knowledgeable to understand why hackers, black hat or white, do what they do, because twelve random people are not up to the task.  But in the absence of intentional, it just gets worse, with the mens rea requirement reduced and the risk of confusion, arbitrariness and wrongful conviction increased.  That helps no one.

Rather, the problem is that the CFAA, perhaps sufficient in its day, has failed to keep pace with the ordinary conduct of very knowledgeable computer guys.  Is there no one in Congress who is sufficiently knowledgeable to grasp the problem?  Does no one care?

Based upon the failure to address the mass confusion, the arbitrariness of laws that fail to apply in any cognizable fashion, one would left to conclude that Congress doesn’t give a damn. Their intention is to let things ride, bad as it may be.

10 thoughts on “Rob Graham: The Best of Intentions

  1. Matthew I

    “…computers and the internet happen because of witchcraft.”
    Hmm…

    Item 1: Weilding both CS and magic require learning an arcane language that vaguely resembles speech (Harry Potter: “Wingardium Leviosa!”; Java: “System.out.println(new StringBuilder(message).append(suf[3]).toString());)

    Item 2: Mastering both CS and magic require years and years of study, but if you play your cards right you can become famous before getting a college degree (Harry Potter; the stereotypical Silicon Valley millionaire)

    Item 3: Both CS and magic can be applied to wildly disparate fields (nearly every fictional magic can perform miracles of both healing and destruction; CS can both simulate the human brain and generate or store crude images)

    Item 4: Both CS and magic are subject to arbitrary limitations (D&D: A 2nd level wizard can 6 spells in less than a minute, but has to rest for 8 hours before casting any more; in CS, detecting whether a user is in a national park is trivial; recognizing the phrase “app, take me a picture” is challenging but doable; but recognizing a picture of a bird is almost impossible)

    Item 5: Both CS and magic manipulate things (magic, math) that are fundamental to the universe but difficult to describe to an everyday layman.

    Conclusion: Computer science is, in fact, magic.

  2. Jim Tyre

    Scott,

    Your blog post at least suggests that CFAA hasn’t been amended since it was enacted in 1986. That’s not correct. It was amended in 1989, 1994, 1996, 2001, 2002 and 2008. None of those amendments address what you, many others and I see as the core problems with CFAA, but the amendments exist.

    You ask, perhaps rhetorically, whether there is anyone in Congress who understands the problem. The answer is yes. The most prominent example is a bipartisan bill introduced in the House a bit more than a year ago. Led by Representatives Lofgren and Sensenbrenner, a bill commonly known as Aaron’s Law (after Aaron Swartz) was introduced. Had it been enacted, it would have cured many of CFAA’s problems, but it wasn’t. There are other Representatives and Senators who also understand and want to fix the problem, just not nearly enough.

    1. SHG Post author

      In the event I decide to turn this post into a 67 page law review article, I promise to include all the superfluous information I’ve left out here because in law review articles, no one cares if you include superfluous information that sucks the point and brevity out of a post to bury it under irrelevant details and makes it so boring and tedious that no one wants to read it.

      Didn’t we talk about this already?

    2. Myles

      You know that kid in the front row at school, who always had his hand up and went “oooh, oooh” like he had a stomach ache, because he had some pointless bit of info that he was just dying to tell so everyone would know how smart he was, even though no one cared? That’s what this sounds like. And nobody ever liked that kid in the front row.

  3. david

    How does that joke go?
    In Germany, everything is prohibited, except that which is explicitly permitted.
    In France, everything is permitted, except that which is explicitly prohibited.
    In Italy, everything is permitted, ESPECIALLY that which is explicitly prohibited.

    In the US? . . . land of the free my arse.

  4. Andrew Cook

    Imagine you’re in a neighborhood with houses whose front doors are secured primarily by a lock in the doorknob. It’s discovered that a popular kind of lock is easily bypassed by slipping a credit card above the bolt and pressing downward. Upon hearing this, the manufacturer provides a modified door bolt that stops this problem, and some people aren’t affected due to using a different lock or an additional deadbolt.

    Rob went through this neighborhood trying to “card” into each and every house. He doesn’t steal anything, he doesn’t break anything, he doesn’t go further in or look at anything, and he closes the door immediately afterward. (Some white-hat hackers would leave a sticky note explaining the whole “card” issue, but it looks like Rob does not.) He does this solely to count the number of houses he can break into doing this, so he can put it on a poster to tack up around the ‘hood.

    Is what Rob did illegal? In the imaginary house example, under Virginia law, “no” — trespass is only a crime when it’s prohibited by signs that “could reasonably be seen”, someone’s explicit instructions, or a court order, or it’s done with intent to commit some other crime. Getting back to computer land, under Virginia law, “probably not” — 18.2 VA 152.4.2 forbids causing a computer to “malfunction”, and Rob’s actions may be construed as that, but the computer’s normal function was not impaired in any way. Under CFAA? Going by several recent prosecutions, “absolutely yes, and each house/computer it’s even attempted on is another fine and another ten years.”

    1. SHG Post author

      Yours is the common analogy used by prosecutor’s to justify criminalizing undesired access (as opposed to unauthorized access, as the law prohibits), such as happened in Weev’s case. But it’s a failed analogy, despite your glossing over the assumption at the beginning and then running with it to reach your point.

      There is pretty much no aspect of your analogy that holds when applied to the internet, so while it plays well with digital idiots (which can include judges as well as jurors) who need to analogize the digital world to the physical world because of their inability to grasp the conceptual distinctions, it’s application is wholly inapt.

      And the fact that the CFAA may (not quite absolutely, but quite possibly) criminalize such conduct is a reflection of a bad law and unaware prosecutors, judges and jurors, not wrongdoing. It’s a reason to change this archaic law rather than vilify people for using the internet as it exists.

      If I was constrained to try a real world analogy, I might consider a store, open for business to the public, which has big, wide open front door with inviting signs, as well as some doors around the side, the back, the other side, on the floor above and the floor below, most of which are locked, but some not, although the proprietor may have thought they were all locked and only the front door was open.

      So you want to enter the store from a door behind, and pull. Nothing. So you walk around and see another door on the side. Again you pull. Surprise! It opens, and in you walk, only to find that you’re in the storeroom rather than the showroom.

      The proprietor is very angry that you’re in his storeroom, as it’s not how he desires the public to enter. But all you did was pull on a door to a store that invites the public in, and that door opened.

Comments are closed.