My computer literate buddy, Rob Graham, did the sort of thing knowledgeable geeks do. Computer voodoo.
In order to measure the danger of the bash shellshock vulnerability, I scanned the Internet for it. Many are debating whether this violates the CFAA, the anti-hacking law.
The answer is that everything technically violates that law. The CFAA is vaguely written allowing discriminatory prosecution by the powerful.
The Computer Fraud and Abuse Act is a disaster, though it’s unclear whether the fault is with the law itself or Congress’ failure to update the law, enacted in 1986, when computers existed mostly as stand alone contraptions. There was no internet, no world wide web. Heck, even Gopher was still a twinkle in Mark McCahill’s eye.
The problem with the law is that it was written in the 1980s before the web happened. Back then, authorization meant explicit authorization. Somebody first had to tell you “yes, you can access the computer” before you were authorized. The web, however, consists of computers that are open to the public. On the web, people intentionally access computers with the full knowledge that nobody explicitly told them it was authorized. Instead, there is some vague notion of implicit authorization, that once something is opened to the public, then the public may access it.
Unfortunately, whereas explicit authorization is unambiguous, the limits of implicit authorization are undefined.
A key component of the CFAA is that it prohibits “intentional” unauthorized access, which Rob argues is too vague and ambiguous to provide a meaningful limitation to those, like him, who spend their days questioning the internet’s security.
Lawyers think that the word “intentional” in the CFAA isn’t vague. It’s the mens rea component, and is clearly defined.
Lawyers think this is clear, but it isn’t. We know Weev’s state of mind. We knew he believed his actions were authorized. For one thing, all his peers in the cybersecurity community think it’s authorized. For another thing, he wouldn’t have published the evidence of his ‘crime’ on Gawker if he thought it were a crime.
Yet, somehow, this isn’t a mens rea defense. You can read why on the Wikipedia article on mens rea. This is merely the subjecive test, but the courts also have an objective test. It’s not necessarily Weev’s actual intentions that matter, but the intentions of a “reasonable person”. Would a reasonable person have believed that accessing AT&T’s servers that way was unauthorized?
Curiously, while Rob appreciates that intentional is the most stringent of mens rea requirements, he sees it as sword instead of a shield, But reading his words, one can begin to see why, and where he goes astray. He writes of Weev Auernheimer, “[w]e know Weev’s state of mind.” Do we? We know what Weev says, and we know what Weev did. But no one ever knows another person’s state of mind. Not for real.
What “intentional,” as a mens rea requirement, means is that a person intends the natural consequences of his acts. There could be a great many reasons, purposes, to an act, but the law accepts the notion that a person intends to do what he does. It’s by no means conclusive, in that a defendant can refute the argument by testifying about his real purpose, but that shifts the burden to the defendant to explain. That has its own inherent problems, as the defendant is then open to examination about other things as well, which he may prefer not to testify about. Or his bad history. Or his bad attitude. Or any number of other things that won’t play well with a jury.
Non-lawyers see intention as normal people; what we mean is up to us, not to someone else to impute despite us. And in real life, it’s a good point. But if that was the case, then no prosecutor could ever prove intent if a defendant refused to testify. While the prosecutor can prove conduct, and maybe statements to others, that’s as far as he can go. He’s no more capable of seeing what is really going on in another person’s head as anyone else.
In legal terms, this means that the mens rea for the CFAA is actually “strict liability”. Your actual intentions are irrelevant, because it’s the intentions of the ignorant that matter. And the ignorant think anything other than clicking on links is unauthorized. Hence, editing the URL field is “intentional unauthorized access”.
What we have is something akin to the Salem Witch Trials, where a reasonable jury of their peers convicted people for practicing witchcraft. To the average person on the street, computers work by magic, and those who do strange things are practicing witchcraft. Weev was convicted of witchcraft, and nothing more.
This is more revealing, as the problem with the interpretation of intentional isn’t really about intent, but about who is inferring intent from conduct. What is obvious to a guy like Rob, or his peers of knowledgeable voodoo practitioners who work under the name InfoSec, looks very different to a bunch of dopes who think computers and the internet happen because of witchcraft.
We, and I include myself in this group, are too friggin’ clueless to understand either what guys like Rob are doing or why. Our grasp of intentions is based on our frame of reference, and our frame of reference is, to be kind, so blitheringly stupid and simplistic that we can’t begin to understand what they’re doing or why.
But to blame the word “intentional” is to misdirect one’s angst. Maybe we should have specialized juries who are sufficiently knowledgeable to understand why hackers, black hat or white, do what they do, because twelve random people are not up to the task. But in the absence of intentional, it just gets worse, with the mens rea requirement reduced and the risk of confusion, arbitrariness and wrongful conviction increased. That helps no one.
Rather, the problem is that the CFAA, perhaps sufficient in its day, has failed to keep pace with the ordinary conduct of very knowledgeable computer guys. Is there no one in Congress who is sufficiently knowledgeable to grasp the problem? Does no one care?
Based upon the failure to address the mass confusion, the arbitrariness of laws that fail to apply in any cognizable fashion, one would left to conclude that Congress doesn’t give a damn. Their intention is to let things ride, bad as it may be.