With this in the background, the case of Andrew “Weev” Auernheimer is coming before the Third Circuit. Orin Kerr represents the defendant pro bono, along with a laundry list of well-intended advocates. While the case has received its share of attention, it has been overshadowed by the Aaron Schwarz case and subsequent suicide. Still, it's an important case, certainly worthy of attention. Orin sells the facts:
When iPads were first released, iPad owners could sign up for Internet access using AT&T. When they signed up, they gave AT&T their e-mail addresses. AT&T decided to configure their webservers to “pre load” those e-mail addresses when it recognized the registered iPads that visited its website. When an iPad owner would visit the AT&T website, the browser would automatically visit a specific URL associated with its own ID number; when that URL was visited, the webserver would open a pop-up window that was preloaded with the e-mail address associated with that iPad. The basic idea was to make it easier for users to log in to AT&T’s website: The user’s e-mail address would automatically appear in the pop-up window, so users only needed to enter in their passwords to access their account. But this practice effectively published the e-mail addresses on the web. You just needed to visit the right publicly-available URL to see a particular user’s e-mail address. Spitler realized this, and he wrote a script to visit AT&T’s website with the different URLs and thereby collect lots of different e-mail addresses of iPad owners. And they ended up collecting a lot of e-mail addresses — around 114,000 different addresses — that they then disclosed to a reporter. Importantly, however, only e-mail addresses were obtained. No names or passwords were obtained, and no accounts were actually accessed.The argument is that since AT&T, having made the information readily available on the interwebz if you know where to look, on an unprotected website open to the public, there can be no unauthorized access.
The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.But the access went from accidental to a script designed to access the thousands of addresses.
Further, the fact that an automated script was used to collect lots of information instead of visiting manually makes no difference to whether the visiting was an unauthorized access.Though it does implicate intent of the person doing the accessing. But if the access isn't unauthorized, than so what?
At PrawfsBlawg, Michael Risch asks for thoughts about whether he should come as amicus in support of Auernheimer to argue that the CFAA is unconstitutionally vague and overbroad.
“Unauthorized access” and even “exceeds authorized access” should never have been interpreted to apply to publicly accessible data on publicly accessible web sites. Since they have, then I am convinced that the statute is impermissibly broad, and must be struck down. At the very least it must be rewritten.But there is an irony here that needs to be confronted first. Orin has published and argued the proposition that laws should be tech neutral, essentially taking the law as it's found, developed over the years for the physical world, and applying it by analogy to the digital world. Consider how that works its magic here.
While one couldn't access this information via the front door of AT&T's website, where it invited anyone to enter its showroom, there were also side doors and back doors where the public wasn't invited in. Sure, they were unlocked, but if one stumbled upon a back door of a brick and mortar business which had a front door leading to an open storefront, does that entitle a person to sneak through the back door just because it's unlocked? Because the showroom was open to the public, is the office upstairs open as well? Can visitors rifle through the manager's file cabinets as well as racks of clothing for sale?
The fact that one can do something does not, in itself, mean a person is authorized to do so. If you leave the front door to your house unlocked, does that mean anyone passing by can walk in and take whatever he wants?
The problem is that the digital world and the physical world do not compare and contrast well, and the prosecution of crime by analogy is not only too vague and subject to rhetorical argument, but leaves it entirely in the hands of the government as to what otherwise ordinary conduct is transformed into a crime, one with a very harsh 41 months of imprisonment for Auernheimer.
Orin's contention, that the access of AT&T's back door isn't "unauthorized access" isn't particularly persuasive under the CFAA. Indeed, it seems pretty clear that the law is sufficiently encompassing that it was indeed unauthorized, as no reasonable person could have thought that AT&T was cool with their going into back doors and side doors when the only invitation was to enter through the front.
But then, that's because the facts are viewed through the prism of tech neutrality. If computer access isn't analogized to physical world law, and considered sui generis based upon what really happens online, what is really intended to be criminalized in the digital world, and upon the recognition that the current iteration of the CFAA largely criminalizes everything that happens in the digital world if we apply real world legal concepts and tilt our head slightly to the right, then perhaps Risch's argument prevails.
The point of all this is that the CFAA is absurdly vague and overbroad, and is in such need of reform and clarity as to what constitutes a crime in the digital sphere as to make it impossible to prosecute for unauthorized access under the current law. But until the courts legislators and scholars, get it through their heads that the digital world is different, and not merely some distorted mirror image of the physical world by which crimes can be manufactured by analogy, people will continue to be prosecuted for conduct like this.
There is no viability to tech neutrality. The CFAA must either be reformed to clearly state what it prohibits, if that's possible, or we can risk our freedom every time we go online, never knowing whether our access was sufficiently authorized to satisfy the government.
© 2012 Simple Justice NY LLC. This feed is for personal, non-commercial & Newstex use only. The use of this feed on any other website is a copyright violation. If this feed is not via RSS reader or Newstex, it infringes the copyright.
Source: http://blog.simplejustice.us/2013/04/10/reason-37-to-reform-the-cfaa.aspx?ref=rss
company law conservator copyright lawyer corporate law corporate lawyer
No comments:
Post a Comment