It's very frustrating reading the analogies that you are attempting to use to describe the charges in this case.
Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not. Given the actual harm or potential harm incurred here, weev's crime was more like walking to your ex-wife's house with an oversized down pillow while you talk about giving her a spanking on the bottom with it.
Is what weev did the same thing as walking into a stranger's house through his unlocked front door and then rifling through his personal papers? I don't think so. It would be better to say it is the same thing as walking past a house after the owner has plastered it with old credit card statements and then remarking to a fellow passer-by that you might make some expensive purchases using that now-public information.
The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
Is it fair to convict a person based on an analogy, when another analogy might be more correct? If an appropriate analogy is required to determine guilt, then does the analogy itself take on the weight of law, and if so, who is to determine the correct analogy to apply in such a case (when the choice of appropriate analogy is what determines guilt or innocence), the judge, or the jury? No, if an action is going to be criminal, it must be possible to describe that action itself in its own literal terms and thereby determine its criminality.
You write that "crime = intent + action", and then you talk about nothing but his intent. The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publicized qualifies as "exceeding access", which is what the CFAA makes a crime.
This is the problem with your argument, with the cases against both weev and aaronsw, and with the CFAA itself. Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go around), for his action iteself to be criminal, weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
This is why the case against weev is so distressing. Although his intent may have been questionable, the actual action that is being prosecuted in this case is nothing more than fiddling with a url in a web browser. Who hasn't done this when looking through an image site like imgur.com or similar, just to see what's there randomly? We do this because it is universally accepted that unless a password restriction has been placed on a url, any publicly-accessible URL is intended to be viewed by the general public. Assuming anything else would break the Internet.
> Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not.
I'm not saying what weev did is as bad as attempted murder. I'm using the example to illustrate the concept.
> Is what weev did the same thing as walking into your house through your unlocked front door and then rifling through your personal papers? I don't think so. It would be better to say it is the same thing as his walking past your house after you plastered it with old credit card statements and then remarking to a fellow passer-by that he would do well to make some expensive purchases using that now-public information.
It's not like that at all. You're completely ignoring intent, and thereby taking the human element out of it and reducing it to the mechanical. If you plaster your house with credit card statements, a passer-by can reasonably infer that you intend to make the information public. Otherwise, why else would anyone do that? But AT&T clearly didn't intend to make the information public, and Weev's actions clearly suggest he knew that. AT&T made a mistake, but Weev took advantage of that mistake to access private information AT&T didn't intend to make public. The fact that I forgot to lock my door does not give you the right to go rifling through my shit! The fact that it's easy or even trivial to do so does not make it okay.
> The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice
I disagree with the contention that snooping around where you're not wanted for private information is grounded in "actual computer practice." It's grounded in a certain adolescent "hacker culture" that glorifies pushing peoples' buttons and getting around boundaries, but that is not coextensive with computer practice.
> that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones. Analogies in this case help illustrate the basic principle: just because it's easy to violate someone's property rights does not mean that such actions are not a violation.
> The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publisized qualifies as "exceeding access", which is what the CFAA makes a crime.
What's unclear about the application of the CFAA here? He had a certain level of access to AT&T's information. He, through some means (it is utterly irrelevant the simplicity or difficulty of those means), exceeded his authorized access to get access to private information. He knew that he was getting access to information AT&T didn't intend him to access, and that AT&T had taken measures to conceal (it is utterly irrelevant how feeble those measures were). He then took the action of actually downloading that information. That's bad intent + accompanying action.
> Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go arround), for his action iteself to be criminal
This is a non-obvious feature of criminal law, but it needs to be understood. Under the law, "actions" are not criminal. Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent. Take the simple act of entering someone's unlocked car. It can either be illegal trespass or not, depending entirely on whether you knew the car wasn't yours and you entered anyway.
> weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
No, weev did not have to know what AT&T was thinking. The law does not hold him to that standard. The standard is objective: what would a reasonable person infer about AT&T's intentions? We do not have to use some bullshit mechanical assumption that ignores the simple fact that humans can do a pretty good job of guessing what other humans intend. You cannot tell me with a straight face that just because AT&T's security was trivial to get around that a reasonable person would conclude that AT&T had intended to grant open access to their member's e-mail addresses. That's the point of the "unlocked door analogy." Any normally functioning human being realizes that leaving a door unlocked does not create an inference that people are entitled to enter.
1) "The standard is objective: what would a reasonable person infer about AT&T's intentions? We do not have to use some bullshit mechanical assumption that ignores the simple fact that humans can do a pretty good job of guessing what other humans intend. You cannot tell me with a straight face that just because AT&T's security was trivial to get around that a reasonable person would conclude that AT&T had intended to grant open access to their member's e-mail addresses."
I think you are getting into the weeds here talking about legal standards. Do you know what the standard is when a party mistakingly discloses something (leaves confidential info on a park bench, or throws it out with the trash, or publishes it on a public website)? Do you know what the duties and obligations are of a person that discovers such a mistake? This is the area of established law that should be applied in this case. The "unlocked door" analogy is rediculous. Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption. If this were not the case, then it would fall on every internet user to iterpret the intent of the publisher based on the contents of the accessed document, which is largely impossible without first obtaining access in the first place!
2) "Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent."
There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea. Not all criminal acts require mens rea (drunk driving), and certainly not all actions can be treated as criminal even if there is some kind of ill intent (ridicule of a public figure, stealing someone's girlfreind). You are making very broad assertions about how the law works and they are not fully correct.
With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent. The underlying action of accessing a public URL is not criminal, as the world wide web is inherrently a public medium, with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
3) "All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones."
You missed my point. I have no objection to using analogy to illustrate a point. What I am saying is that you find it impossible to describe what weev did as criminal without resorting to analogy, and that you entirely rely in the correctness of your analogies to support your assertions. If you had to make your argument without analogy, you would be unable.
1. The set of vulnerabilities that can be expressed as "public URLs" is large. Important applications expose sensitive data without authentication all the time. They routinely give up access to their whole filesystem in file download systems. They reveal private messages by rotating integers. They manage to marshall raw SQL statements into URLs their developers didn't expect people to see. It simply cannot be the case that the standard for "unauthorized access" is "steps taken beyond entering URLs into a browser".
2. A minority of "strict liability" crimes don't require intent. Those crimes are more strictly enforced, not less. The CFAA isn't a strict liability statute. Most statutes aren't, which is something you are thankful for.
Guessing URLs isn't hacking. You of all people should know that. Some hacking can involve that, but it's as unrelated as noting that hackers eat.
Visiting a URL is like asking an employee to photocopy a document for you. As long as you don't misrepresent yourself it's absolutely reasonable.
We don't need people in your position adding to this culture of ignorance. The pathnames and parameters in a good web api are human readable, and human guessable, for a reason. The web is supposed to be human navigable.
If you (generically) don't like this, don't implement a plaintext service over a human readable protocol that almost everyone on the planet has a debugger for. If you must use this api, and place it in the midst of URLs you intend to be public, you must implement a password or use another intentional security feature.
Malls must mark private doors because the expectation otherwise (that they create) is that the mall is free to explore. By using http, and readable paths, and sequential record IDs, returning valid markup and unencrypted content, you're running a mall. Mark your doors or realize every area will be visited and plan accordingly.
Quit defending this legal nonsense or it'll soon be 'hacking' to ask for the next book in a series.
This was an unfriendly comment. People here obviously think I'm pretty snarky and a bit of an asshole and I'm fine with that, but I don't generally write comments singling people who disagree with me out by name and demanding that some circumstance of their career or status or upbringing requires them to agree with me at their own moral peril. I wish you could just disagree with me objectively.
Calling arguments I've made "nonsense" and "ignorance" doesn't make your argument stronger. It makes you sound emotional. That can be an effective card to play if you think your emotions are going to cow your opponent into shutting up. Is that what you're trying to do?
Moving on, you haven't addressed my point at all. URLs are human readable. We test a couple hundred web applications in any given year. How many ridiculous URLs do you think I've seen? I provided specific examples: human-readable URLs that human-readably gave up whole filesystems. Human-readable URLs that human-readably gave up SQL queries. Human-readable URLs that human-readably gave up private messages.
To follow your logic to its reasonable conclusion, all those vulnerable URLs were open season for Internet attacker^H^H^H^H^H^H^Husers; shame on those companies for over-exposing resources in URLs and then expecting the legal system to clean up after them! If that's what you believe, fine, but you're arguing for the decriminalization of a whole lot of very damaging attacks. And to what end? I guess my bill rate would go way up when people realized they had even less recourse against exploitation of bugs in their system.
Meanwhile, you've followed my logic to an improper conclusion. As Rayiner has tried to explain on numerous threads, the legal system is not a programming environment that evaluates objectively observable facts and spits out conclusions based solely on them. Crimes are (i) an intent to break the law and (ii) actions in furtherance of that attempt. It is not illegal to "ask for the next book in a series". But if an abortion clinic used a case management application with a bug that disclosed --- via human-readable URL --- the identities of all its patients, it absolutely should be a crime to use those URLs to dump confidential patient information to Pastebin.
None of this means I think Aurenheimer deserves prison time for getting email addresses from AT&T. He was charged with identity theft, in part (I think) because the CFAA has a badly written 1-up mushroom clause that says computer fraud is extra bad when charged alongside another felony. The idea that email addresses of iPad subscribers constitute "identities" is ludicrous.
I was addressing your ideas, not you. But everything you say comes with an aura of wizard and that's why I'm taking issue to you saying things that would merely be opinion from someone else.
The idea that incrementing a URL is hacking goes against the designing principles of the web. Intended behavior isn't hacking. By either definition. Telling people that this is special creates a culture of ignorance where they think there's magic under the hood and never try to learn.
The idea that URL manipulation is hacking is factually incorrect and you hurt people by saying it.
This doesn't mean it's not an exploit, depending on circumstances. Many exploits don't require hacking. For instance, item cloning in a mmorpg. That something is exploitable doesn't mean you need to hack it. A "take a penny" dish is exploitable but taking the pennies isn't hacking.
As for emotional arguments, you responded to me with one. I know many sites do things their maintainers wouldn't want them to do, but sympathy doesn't justify bad laws.
I'm not arguing for decriminalization of hacking, but that this isn't hacking.
I feel like I was pretty clear, so I'm puzzled by this response. Let me distill my last comment.
There are applications with human-readable URL schemes that will, with trivial manipulation of URLs, cough up arbitrary files from the server filesystem. Are those URLs OK to play with because of the "design principles of the web"?
But not lock-picking. Why are you trying so hard to label this hacking?
Earlier you argued by fear, that a badly configured server could send private data, and therefore editing URLs is hacking. Hell, I've seen servers with private data in the root dir. This is disconcerting, and bad for the company, but not hacking if you view the documents.
Similarly, incrementing as number, turning a page, clicking next, those are the expected, default, uses. They don't magically become a cyber attack simply because your software does exactly what you told it to.
Why are you unwilling to separate questions of legality long enough to make it clear that anyone in the world who can place one number after another could have done exactly the same?
Someone who unintentionally released private documents but thought they were hacked wouldn't have any incentive to change, or idea how. But if we were honest with them, they would.
> I think you are getting into the weeds here talking about legal standards.
I'm talking about very broad principles. Your claim is basically that AT&T's intent to keep the information private cannot be relevant because Weev cannot know what AT&T is thinking. I'm pointing out that while the law rarely charges you with reading minds, it is quite common to charge you with making reasonable inferences about other peoples' intentions.
> Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
Thought experiment: how many cases do you think there are of people accidentally publishing their naked photos in a newspaper, versus leaving them in a publicly accessible directory?
> In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption.
I disagree that a categorical rule is the only one a "reasonable" and "computer literate" person would support. I see no reason why we can't consider the surrounding context. A building on Michigan Ave with an open door creates a different inference, in the mind of a reasonable person, about whether they are allowed to walk in than a house in a residential neighborhood with an open door.
> There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea.
Again, I'm speaking in broad principles. Intent is the heart of the criminal law. The Model Penal Code, which represents the prevailing thought on criminal law in the U.S. applies it rigorously save for in one case (statutory rape of young children). Strict liability is the exception, and even that can be seen as a per-se judgment about intent.
> With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent.
The action was changing the number on a URL to access a different page. The intent was to get access to information that AT&T did not intend Weev to access. I don't see what's hard about this. Yes, it's not illegal to access a public URL, but that doesn't mean it can't be illegal to access a public URL with intent to get access to private information.
> with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
There are every well-established (thousands of years older than HTTP) means of making buildings private (locks), yet not employing one doesn't give you permission to enter!
Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not. Given the actual harm or potential harm incurred here, weev's crime was more like walking to your ex-wife's house with an oversized down pillow while you talk about giving her a spanking on the bottom with it.
Is what weev did the same thing as walking into a stranger's house through his unlocked front door and then rifling through his personal papers? I don't think so. It would be better to say it is the same thing as walking past a house after the owner has plastered it with old credit card statements and then remarking to a fellow passer-by that you might make some expensive purchases using that now-public information.
The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
Is it fair to convict a person based on an analogy, when another analogy might be more correct? If an appropriate analogy is required to determine guilt, then does the analogy itself take on the weight of law, and if so, who is to determine the correct analogy to apply in such a case (when the choice of appropriate analogy is what determines guilt or innocence), the judge, or the jury? No, if an action is going to be criminal, it must be possible to describe that action itself in its own literal terms and thereby determine its criminality.
You write that "crime = intent + action", and then you talk about nothing but his intent. The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publicized qualifies as "exceeding access", which is what the CFAA makes a crime.
This is the problem with your argument, with the cases against both weev and aaronsw, and with the CFAA itself. Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go around), for his action iteself to be criminal, weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
This is why the case against weev is so distressing. Although his intent may have been questionable, the actual action that is being prosecuted in this case is nothing more than fiddling with a url in a web browser. Who hasn't done this when looking through an image site like imgur.com or similar, just to see what's there randomly? We do this because it is universally accepted that unless a password restriction has been placed on a url, any publicly-accessible URL is intended to be viewed by the general public. Assuming anything else would break the Internet.