Wednesday, February 6, 2013

The Collapse Of Corporations Monopoly On Knowledge - Rebooting Computer Crime Law: No Prison Time For Violating Terms of Service, Protect Tinkerers, Security Researchers, Innovators And Privacy Seekers

In the wake of social justice activist Aaron Swartz’s tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law.  As we’ve noted, the CFAA has lots of problems. In this three-part series, we'll explain these problems in detail and why they need to be fixed. 
Here is the CFAA's greatest flaw: the law makes it illegal to access a computer without authorization or in a way that exceeds authorization, but doesn’t clearly explain what that means. This murkiness gives the government tons of leeway to be creative in bringing charges.

For example, overzealous prosecutors have gone so far as to argue that the CFAA criminalizes violations of private agreements like an employer’s computer use policy or a web site’s terms of service. Thankfully, some federal courts have recognized the absurdity of this argument, but Congress needs to fix the law to make it crystal clear.  Vague laws are dangerous precisely because they give prosecutors and courts too much discretion to arbitrarily penalize normal, everyday behavior.

So, under the government’s theory, what innocuous activities could the CFAA criminalize? Here are a few things that could violate the CFAA under the government’s misguided interpretation of the law:
  1. Lying about your age on Facebook. Facebook’s Rights and Responsibilities make users promise not to “provide any false personal information on Facebook.” So don’t even think about RSVP’ing to an event you can’t attend, or posting a misleading status update, or telling people you’re married when you’re not. These are all activities that could violate Facebook’s terms, and have you facing a years-long prosecution if the government decides to make an example of you.
  2. Saying you’re “tall, dark and handsome” on Craigslist when you’re actually short and homely.  Under Craigslist’s Terms of Service, a user can’t post “false or fraudulent content” on the site. And that’s not all—flagging something multiple times or encouraging others to flag content is also a violation of terms—not exactly the sort of dangerous activity the CFAA was meant to criminalize.
  3. Buying a lotto ticket with Square. Square’s Wallet User Agreement bans tons of different types of transactions, from making purchases “in connection with” membership clubs, identity theft protection services, lotto tickets or “occult materials.” Does that mean you can’t use Square to buy copies of the Twilight books? Only Square and federal prosecutors could tell you for sure.
  4. Letting a friend log in to your Pandora account. Under Pandora’s Terms of Use, users must “agree that you will not allow others to use any aspect of your Account Information.” So before you give your significant other your Pandora password, consider whether he or she is someone you want to put on your visitor’s list should you end up in prison.
  5. Posting impolite comments on the New York Times’ Web Site. The New York Times has an almost Victorian Terms of Service (1/24/13), which admonishes users to “be courteous” and “use respectful language” and “debate, but don’t attack.”  So before you engage in a late night impassioned discussion in a comment thread on an article, check to make sure your language doesn’t edge into “impolite” and land you in the Big House.
  6. Using Hootsuite to update your Google Plus page. The social media management tool Hootsuite lets users manage their Twitter and Facebook accounts, and it has been happily promoting its new Google Plus integration. But be wary: Google’s Terms of Service warn that you mustn’t “misuse our Services” and specifically cautions that users should not “try to access them using a method other than the interface and the instructions that we provide.” Since Google doesn’t provide Hootsuite, using the Hootsuite dashboard to update your Google Plus account could be cause for criminal liability.
  7. Sending a sexy message on eHarmony. eHarmony may be about finding love, but don’t even think about sending a sexually suggestive missive to someone through the service.  eHarmony’s Terms of Service ban individuals from using the service to send messages that are “sexually oriented.”  The terms also ban users from submitting content that is “off-topic” or “meaningless.” So, stay focused but not too sexy in your eHarmony communications or your search for love might attract the attention of a government prosecutor.
Internet users shouldn’t live in fear that they could face criminal liability for mere terms of service violations—especially given that website terms are often vague, lopsided and subject to change without notice. Security testing, code building, and free speech—even if unabashedly impolite—are fundamental parts of the Internet’s character. Supporting these types of innovation helps keep the Internet dynamic and interactive.  Regardless of whether you think that people ought to send sexy messages on eHarmony or post impolite comments on, one thing is certain: violating a private agreement or duty should not carry the grim shadow of criminal liability. No one should face criminal charges, go to jail, or face fines as a result of a contractual violation like using a pseudonym on Facebook.

Representative Zoe Lofgren (D-CA) has started the conversation and advocacy groups like Demand Progress have joined us in working to fix the vague, dangerous and overly punitive sections of CFAA that were misused to persecute Aaron Swartz.  Please join EFF in calling on Congress to fix the glaring problems with CFAA by sending an email to Congress now.


As Congress discusses Aaron's Law, it will debate how the law should treat users who work their way around technical measures aimed at identification, tracking, or preventing interoperability with other programs or services. Right now, the law is written in a way that treats those folks as criminals just the same as those who bypass access barriers in order to steal information or commit other malicious acts. The current draft of Aaron’s Law, posted on Reddit by Rep. Lofgren on February 1, goes part of the way to fixing this, but not all the way yet. 

Of course, companies are free to use technological measures to serve their business purposes, such as efforts to try to persistently identify users. But the law shouldn’t back up these tools with the sledgehammer of the CFAA's harsh criminal penalty scheme. Put another way, the law shouldn't punish a user’s method of access; it should punish wrongful trespasses and any harm caused by them. 

There are important reasons not to over-criminalize the simple side-stepping of technical measures. EFF has long advised researchers, innovators and activists who seek to avoid these measures for good reason, including discovering security vulnerabilities that attackers can use against us so that those flaws can be fixed. We’ve also seen companies use the CFAA to threaten competitors who create add-on innovation dependent on services working with each other, such as tools that add maps to apartment-hunting websites or make it possible for Internet users to view their social networking services together in a single browser. And as technical measures for tracking us online become all too common, the CFAA looms as a dangerous deterrent to prevent people from developing tools or taking steps to protect their privacy and avoid being tracked for purposes ranging from price discrimination to political intimidation. This is not just for geeks—ordinary people should be able to protect their privacy, exercise self-help, and use tools that let them access or send information in new ways. Here are a few examples.


1. Protecting Privacy

  A person seeks to access information about a disease that he has just been diagnosed with or a religion he is interested in, but wants to protect his privacy while looking at this information. Depending on how he chooses to access the information, he faces tracking by cookies, IP logging, or MAC address logging by his ISP or router, which can reveal his activities to his ISP, the online services he uses, advertising networks and the other third parties who have access to them, and possibly even the government without a warrant.

Similarly, a person might want to send critical information about a crime to the police or his congressional representative, but is concerned about retaliation from the bad guys. The best advice for someone in that situation is to eliminate all tracking of his activities, which likely includes removing cookies, changing IP addresses and MAC addresses among others.
It should not be a crime to take steps to change your IP address, MAC address and similar identifiers for the purpose of protecting privacy or maintaining anonymity, as long as you are not engaging in identity theft.


2. Protecting Innovation

 An entrepreneur creates a website that allows a user to view his social networking services in a new, innovative way, such as ordering posts by poster or topic rather than timeline, prioritizing the user’s family members’ posts, or combining content from the user’s various social networking services on the same page. One anti-competitive social networking service disapproves of this, and so blocks the IP address of the website.

It should be legal for an interoperable service to avoid an IP block in order to offer a useful add-on service to users.


3. Protecting Security Research

 A user finds that her online account with a dating website has been hijacked. In investigating what happened, she begins testing the URL structure for the dating website. She discovers that anyone can access her account, including her private information, contacts and dating history, all without putting in a new password simply by typing in the right URL. She determines that she could do this for many other users as well as herself.  She wants to inform the company and demonstrate what she discovered so that the company can fix the big security hole she found. 

It should be legal for someone to investigate the URL structure of a website to determine if there are security flaws.


4.  Working Around Discrimination Systems

  Last month, the Wall Street Journal reported that the office supply giant Staples was using cookies to perform price discrimination. Specifically, Staples was using cookies that stored users’ ZIP codes to show consumers different products and prices on the Staples web site based on the consumers’ geographic locations. The current version of Aaron’s Law would protect users who delete or modify "identifiers" that are used to track them, including cookies that contained a unique ID. That may be sufficient, but since the cookies reported by the Wall Street Journal do not identify any particular user and simply store a ZIP code, more clarity might be needed to ensure it’s legal to delete them.

A user should not face criminal penalties for deleting her cookies or taking other steps in order to get the same price as other consumers regardless of where she lives.


5. Malfunctioning Systems

  Firewalls, servers and other network equipment can be very complicated devices, and it is common for them to malfunction and block users without any intent on the administrator's part. Authorized users often try to find a way to avoid the problems caused by the misconfigured device, especially when real technical support is sparce, and these efforts should not be criminal.

For instance, a cable modem subscriber buys a wireless router to share an Internet connection within her home. The cable modem is configured to only allow one laptop to connect to it. The family uses the "Clone MAC Address" feature of the wireless router to copy the MAC address of their laptop, thereby allowing the router to connect to the Internet. This simple workaround should not violate the law.


Criminal Law Still Reaches Actual Intrusions and Actual Harm

  EFF's proposal still leaves plenty of room—and plenty of severe criminal penalties—for punishing actual computer intrusions and redressing actual harm. If Congress adopts EFF’s full CFAA reform proposal, it will still be a serious crime for an outsider to steal proprietary information. It will still be a serious crime to knowingly transmit codes that cause damage to a computer, traffic in passwords or engage in extortion by using threats of intrusion. It will still be a crime to take information from other people’s computers for fun or to make a political point, and it will be a serious crime if actual harm occurs as a result. (We'll be discussing more about the penalty adjustments we've proposed in Part 3 of this series.)

And remember, an array of other serious criminal laws will still exist if we amend the CFAA and these will still apply to computer-related activity. These include falsifying identification (18 U.S.C. § 1028), stealing trade secrets (18 U.S.C. § 1832), copyright infringement (including if there is no monetary gain) (17 U.S.C. § 506, 18 U.S.C. § 2319), extortion (18 U.S.C. § 2113(a), 18 U.S.C. § 1951, and/or 18 U.S.C. § 875), and circumventing technological measures aimed at protecting copyrighted works for financial gain (17 U.S.C. §§ 1201-1202, 1204).

The Big Picture: The Computer Fraud and Abuse Act Should Criminalize Wrongful Intrusions Into Computers


This second part of EFF's proposal is a difficult one to articulate.  It requires serious thinking about how technology and law should interact and we are open to continuing the discussion about how best to get there.  Aaron’s law v.2 is a good start, but we think it should more clearly protect all of the scenarios above.
Computer crime law needs to target actual bad acts—breaking in, stealing information, harming computers, damaging networks.  The CFAA now sweeps in a much broader swath of activity, which is why it is such a dangerous weapon in the hands of overzealous prosecutors and requires reform. In some of the cases that EFF's proposal language seeks to protect, users are plainly doing the "right" thing; in others there are shades of grey, but are best left either as a moral issue or addressed by other laws that target any harmful effects of the acts rather than the method of access.
The law needs to protect tinkerers, security researchers, innovators, and people who seek to avoid being tracked and discriminated against. The CFAA not only fails to protect these people, it allows ambitious prosecutors (and unhappy companies) to target them. Aaron’s Law amendments to the CFAA must stop that. Please join EFF in calling on Congress to pass fix the CFAA by sending an email to your elected representatives now. Juice Rap News - Episode 17: The War on Terra. It's 2013 and the world did not end by meteorite or by Mayan calendar. But fear not: we might just be able to get the job done ourselves. Join Robert Foster as he sets out to discover where Civilisation™ is making the fastest progress towards annihilation. In this edition of the Civilisation Report, Robert learns about Australia and Canada - two oft-neglected pioneers of peace, progress and prosperity - in conversation with our antipodean colonial correspondent Ken Oathcarn and his Canuck counterpart, Fagin Heighbard. Dear viewers, consider this a fair warning that in terms of language and affront to the dominant culture this could get fucking messy.

- Written & created by Giordano Nanni & Hugo Farrant in a suburban backyard home-studio in Melbourne, Australia - on Wurundjeri Land.

- Gratitude to our donors whose generosity has made this episode possible. SUPPORT the creation of new episodes of Juice Rap News, an independent show which relies on private donations: ‪

** CONNECT with us:

- Website: ‪
- Twitter: ‪
- Farcebook: ‪


- LYRICS available here: ‪


- Main Beat: the appropriately titled "Dangerous Times" by Red Skull:
- Orchestral compositions: Adrian Sergovich (a legend)
- Alien Song performed by Jonathan Dreyfus (another legend) and AC/Dickelback, with Justin Olsson (drums). Based on "Englishman in New York" by Sting. Recorded, mixed and mastered by Jez Giddings and Craig Harnath at Hothouse Audio St. Kilda. Produced by Jez Giddings and Jonathan Dreyfus.
- Tar Sands video footage: our deepest thanks to Chris of Tundra Punks for putting us in touch with the awesome film-makers who are raising awareness about Mordo...err the Tar Sands and whose footage was used in this episode: Emmanuel Vaughan-Lee, Elias and Adrianne from (Cinematography: Emily Topper; Rob Humphries; Editing: Elias Koch; Footage courtesy of Elemental The Film LLC; Eriel Deranger of Athabasca Chipewyan First Nation; H2Oil animations are courtesy of Shannon Walsh; (Animations by James Braithwaite, Dale Hayward & Sylvie Trouves:
- Thanks to the one and only Franklin Lopez of (and Maude) for Canuck cultural consultation and advice. Make sure you check out his 'git'-wrenching film, END:CIV:
- Video and music editing: Giordano
- Image and website assistance: Zoe Tame
- Props: Zoe Umlaut for creating our correspondents' microphones; and Sam for lending us his guitars.
- Thanks to Lucy for assistance with filming and all-round production tasks!
- Captions: Merci to Koolfy from la Quadrature du Net for creating the sync'd English captions for our episodes!

- Thanks to Marjan Rizov for Macedonian translation
- Thanks to Euclides and Vagner for Portuguese translation
- Thanks to Julie Chatagnon for French translation
- Thanks to Jonas Maebe for Dutch translation
- Thanks to Tamara for Serbian translation
- Thanks to Benjamin for German translation
- Thanks to Oren Koriat for Hebrew translation
- Thanks to Vojta Němec for Czech translation

** If you'd like to translate this episode into your language, please contact us via our website ‪

History is happening! Here is information about what some humans are doing right now to help save what's left of our relationship with this planet.
For more info about Tar Sands, Idle No More; the Kimberleys, Barrier reef, and CSG/Lock the Gate struggles:

if you're optimistic, make sure you watch this documentary:

The War on Terra:

"Nations in top three for carbon emissions" (Dec 2012):


  1. Searching for the Ultimate Dating Site? Create an account and find your perfect date.

  2. Many Online Positions Available Now!

    Earn up to $200/day on social media sites.


Related Posts Plugin for WordPress, Blogger...