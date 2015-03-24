from the everything-is-fine dept.
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.
The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
[...] Using a published demo password to get a list of URLs, which anyone could have used a software program to guess and access, isn't that big of a deal. What was a big deal is that Burke's research embarrassed Fox News. But that's what journalists are supposed to do—uncover questionable practices of powerful entities.
Journalists need never ask corporations for permission to investigate or embarrass them, and the law shouldn't encourage or force them to. Just because someone doesn't like what a reporter does online doesn't mean that it's without authorization and that what he did is therefore a crime.
Still, this isn't the first time that prosecutors have abused computer hacking laws to go after journalists and others, like security researchers. Until a 2021 Supreme Court ruling, researchers and journalists worried that their good faith investigations of algorithmic discrimination could expose them to CFAA liability for exceeding sites' terms of service.
[...]
If journalists must seek permission to publish information they find online from the very people they're exposing, as the government's indictment of Burke suggests, it's a good bet that most information from the obscure but public corners of the Internet will never see the light of day. That would endanger both journalism and public access to important truths. The court reviewing Burke's case should dismiss the charges.
Related Stories
The US DOJ has agreed to drop 11 of 12 charges against journalist Barrett Brown. He was indicted on many charges when he provided a hyperlink to data that was claimed to have been stolen, even though he was never accused of doing the stealing, or of being the first one to publish a hyperlink to the material.
An announcement of the dismissal:
https://pressfreedomfoundation.org/blog/2014/03/ju stice-dept-moves-drop-charges-against-journalist-b arrett-brown-could-criminalize
The official court document regarding the dismissal:
https://www.eff.org/files/2014/03/05/barrett_brown _mtd.pdf
The original indictment:
http://freebarrettbrown.org/files/BB_indictment2.p df
An analysis from last year:
https://www.eff.org/deeplinks/2013/07/indictment-b arrett-brown-threatens-right-link-could-criminalize-routine-journalism
[In the AC's opinion] While this might seem like a victory for Free Speech and Freedom of the Press, the US DOJ still helped destroy a man's life, hold him for weeks without any charges or medical care, only to drop charges (11 of 12 so far) years later, and only after big wigs came to his defense and threatened to file an amicus brief on his behalf in defense of his civil rights. This seems in-line with the usual bullying and intimidation tactics the American legal system regularly engages in, which routinely leads to the destruction of peoples' lives. Having just finished reading Homeland (http://craphound.com/homeland/) and reading the late Aaron Swartz's afterward, this news seems especially poignant.
[Editor's Note: While we encourage all contributors to comment we ask that they clearly separate the factual content of the summary from their own views and opinions. We would prefer this to take the form of a comment in the story's thread but it is also acceptable in the submission providing that it is clearly marked as such. (Please see: Submission Guidelines). Furthermore, I would usually make this remark in private to the submitter but, in this instance, it is an Anonymous Coward and I am unable to do so.]
Ken White over at Popehat has review of the documentary film by Brian Knappenberger: "The Internet's Own Boy: The Story of Aaron Swartz".
One unique aspect of this review is the perspective of a practising criminal defence attorney, and former federal prosecutor, on the attitude of the justice system.
My fortunate clients are the most outraged at how they are treated by the criminal justice system, and most prone to seeing conspiracies and vendettas, because they are new to it they have not questioned the premise that the system's goal is justice. My clients who have lived difficult lives in hard neighborhoods don't see a conspiracy; they recognize incompetence and brutal indifference and injustice as features, not bugs. "Justice system" is a label, not a description.
White also notes the possible impact of depression in this case, referencing back to an article he wrote which challenges many of the common perceptions about the case.
The Freedom of the Press Foundation reports
Today, fourteen Pulitzer Prize winners have issued statements in support of journalist James Risen and in protest of the Justice Department's attempt to force Risen to testify against his sources. Risen has vowed to go to jail rather than give up his source, but the Justice Department has steadfastly refused to drop its pursuit. On Thursday, many of the major US press freedom organizations will hold a press conference in Washington DC and deliver a petition with over 100,000 signatures to the Justice Department, calling on them to do the same.
The Register published a story which lets us know that:
the US Computer Fraud and Abuse Act (CFAA) should be stricken for being unconstitutional.
The civil rights group said in a filing [PDF] to the Washington, DC, District Court that the CFAA prevents researchers and whistleblowers from carrying out their work and violates both the free speech and due process clauses in the First and Fifth Amendments.
The suit ... asks that the courts invalidate the law, which has been the basis for hacking and computer crime prosecutions since its enaction by Congress in 1986.
According to the ACLU, the CFAA illegally prevents researchers from doing their jobs by restricting activities to those approved by a product's terms of service (TOS). Because the Act counts violating a TOS as "unauthorized" access, the ACLU argues that companies are able to effectively write their own criminal laws with a TOS.
The article notes:
The ACLU is filing the suit on behalf of a group of researchers who wish to investigate whether the Fair Housing Act (FHA) is being violated by real estate sites that would provide different results for users based on their race or ethnicity.
The researchers claim that in order to test for discrimination, they would need to present as different individuals of varying races and compare the results. Because falsifying this information would violate a site's terms of service, however, the researchers say they would be in danger of criminal prosecution under the CFAA.
As a result, the suit alleges, the ability of researchers to uncover FHA violations in these services is being blocked by the law, and in the process has a "chilling" effect on free speech and due process.
It's about time!
A current employee granted access to his work account to some former employees. Since the former employees were setting up a competing business and using the account to download the employer's confidential information it wound up in court.
The case went to appeal on the question of whether access authorized by the account holder and not authorized by the computer's owner is a violation of the CFAA. One issue the appellate judges kicked around was whether a "yes" answer would criminalize some routine and harmless activities. There's even another upcoming case with a similar issue, involving a firm that provided a service involving logging in to people's Facebook accounts on their behalf. Facebook didn't like that. A "no" answer of course risks accidentally legalizing any intrusion that has an insider as part of the conspiracy.
A lawyer's analysis is at https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/06/password-sharing-case-divides-ninth-circuit-in-nosal-ii/
The case numbers are 14-10037 and 14-10275 if you want to look them up in PACER. No, I won't lend you my password :-)
Submitted via IRC for TheMightyBuzzard
On July 5th , the U.S. Ninth Circuit Court of Appeals issued an opinion which found, in part, that sharing passwords is a crime prosecutable under the Computer Fraud and Abuse Act (CFAA). The decision, according to a dissenting opinion on the case, makes millions of people who share passwords for services like Netflix and HBOGo into "unwitting federal criminals."
The decision came in the case of David Nosal, an employee at the executive search (or headhunter) firm Korn/Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal's former assistant, who was still with the firm.
Nosal was eventually charged with conspiracy, theft of trade secrets and three counts under CFAA, and was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.
Nosal's conviction under CFAA hinged on a clause that criminalizes anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization". Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.
What about sharing your Kickass Torrents password?
Source: http://fortune.com/2016/07/10/sharing-netflix-password-crime/
takyon: Non-Fortune link: Ever Use Someone Else's Password? Go to Jail, says the Ninth Circuit
In the cybersecurity world, the law doesn't always treat the good guys like good guys.
As Harley Geiger put it in a talk titled, "Fighting for Legal Protection for Security Researchers" at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, "doesn't seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm."
Yet laws at both the federal and state level, "tend to undermine that," he said.
Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.
The story goes on to reference how the Librarian of Congress has allowed a temporary reprieve (as we covered in It's Finally Legal to Hack Your Own Devices (Even Your Car).) But, as much as that may improve things for the time being, it falls short of what is really needed for security professionals to examine and test systems.
So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?
Campaigners have expressed outrage at new proposals that could lead to journalists being jailed for up to 14 years for obtaining leaked official documents. The major overhaul of the Official Secrets Act – to be replaced by an updated Espionage Act – would give courts the power to increase jail terms against journalists receiving official material. The new law, should it get approval, would see documents containing "sensitive information" about the economy fall foul of national security laws for the first time.
In theory a journalist leaked Brexit documents deemed harmful to the UK economy could be jailed as a consequence.
[...] John Cooper QC, a leading criminal and human rights barrister who has served on two law commission working parties, added: "These reforms would potentially undermine some of the most important principles of an open democracy."
[...] "It is shocking that so few organisations were consulted on these proposed changes given the huge implications for public interest journalism in this country," said Ms Ginsberg.
The Law Commission sought advice from media groups including Guardian Media as well as civil liberties groups including Liberty and Open Rights Group. Other groups consulted included the intelligence agencies MI5 and MI6 as well as several government departments and senior politicians and lawyers.
[...] The Law Commission recommendations state that there should be "no restriction on who can commit the offence," including hackers, politicians and journalists.
[...] A Law Commission spokesman said it was "both misleading and incorrect" to suggest journalists were at any greater risk under the planned law changes.
Source: The Telegraph
A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC
Submitted via IRC for FatPhil
Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes—in this case, California and Nevada—to enforce their computer use preferences.
This decision shores up the good precedent from 2012 and makes clear—if it wasn't clear already—that violating a corporate computer use policy is not a crime.
Source: https://www.eff.org/deeplinks/2018/01/ninth-circuit-doubles-down-violating-websites-terms-service-not-crime
Journalist Matthew Keys has been released from the Satellite Prison Camp Atwater, in Atwater, California, a few months early.
As Ars reported previously, Keys was accused and convicted of handing over a username and password for his former employer KTXL Fox 40's content management system (CMS) to members of Anonymous and instructing people there to "fuck some shit up." Ultimately, that December 2010 incident resulted in someone else using those credentials to alter a headline and sub-headline on a Los Angeles Times article. (Both Fox 40 and the Times are owned by the Tribune Media Company.) The changes lasted for 40 minutes before editors reversed them.
[...] While he had initially wanted to challenge the oft-maligned federal law under which he was convicted, the Computer Fraud and Abuse Act, Keys said his case was ultimately not the right one to bring such a challenge.
Keys and his legal team ultimately decided not to pursue an appeal to the Supreme Court after losing at the 9th US Circuit Court of Appeal in June 2017. Within the next few months he will begin supervised release and will be able to resume work.
From Ars Technica : Matthew Keys, now freed from prison, is ready to get back to journalism
and previously : Former Reuters Journalist Matthew Keys Found Guilty of Three Counts of Hacking [sic].
Submitted via IRC for fyngyrz
It's no secret that the Computer Fraud and Abuse Act (CFAA) is a mess. Originally written by a confused and panicked Congress in the wake of the 1980s movie War Games, it was supposed to be an "anti-hacking" law, but was written so broadly that it has been used over and over again against any sort of "things that happen on a computer." It has been (not so jokingly) referred to as "the law that sticks," because when someone has done something "icky" using a computer, if no other law is found to be broken, someone can almost always find some weird way to interpret the CFAA to claim it's been violated. The two most problematic parts of the CFAA are the fact that it applies to "unauthorized access" or to "exceeding authorized access" on any "computer... which is used in or affecting interstate or foreign commerce or communications." In 1986 that may have seemed limited. But, today, that means any computer on the internet. Which means basically any computer.
[...] There is a case happening now, brought by some researchers and journalists, trying to get the CFAA declared unconstitutional for making scraping of the open internet a crime. On Friday, in a little-noticed, but highly-entertaining ruling [pdf], the district court let the case proceed, but also made some important points about the CFAA, making it clear that the law should be narrowly applied (which actually harms the "is this unconstitutional" question, since the more limited the law is, the less likely it's unconstitutional).
Source: https://www.techdirt.com/articles/20180401/22565539541/court-says-scraping-websites-creating-fake-profiles-can-be-protected-first-amendment.shtml
Nearly two years before the U.S. government's first known inquiry into the activities of Reddit co-founder and famed digital activist Aaron Swartz, the FBI swept up his email data in a counterterrorism investigation that also ensnared students at an American university, according to a once-secret document first published by Gizmodo.
The email data belonging to Swartz, who was likely not the target of the counterterrorism investigation, was cataloged by the FBI and accessed more than a year later as it weighed potential charges against him for something wholly unrelated. The legal practice of storing data on Americans who are not suspected of crimes, so that it may be used against them later on, has long been denounced by civil liberties experts, who've called on courts and lawmakers to curtail the FBI's "radically" expansive search procedures.
The government does store information indefinitely that can be used against you later at a more convenient time.
Web Scraping Doesn't Violate Anti-Hacking Law, Appeals Court Rules :
Scraping a public website without the approval of the website's owner isn't a violation of the Computer Fraud and Abuse Act, an appeals court ruled (pdf) on Monday. The ruling comes in a legal battle that pits Microsoft-owned LinkedIn against a small data-analytics company called hiQ Labs.
HiQ scrapes data from the public profiles of LinkedIn users, then uses the data to help companies better understand their own workforces. After tolerating hiQ's scraping activities for several years, LinkedIn sent the company a cease-and-desist letter in 2017 demanding that hiQ stop harvesting data from LinkedIn profiles. Among other things, LinkedIn argued that hiQ was violating the Computer Fraud and Abuse Act, America's main anti-hacking law.
This posed an existential threat to hiQ because the LinkedIn website is hiQ's main source of data about clients' employees. So hiQ sued LinkedIn, seeking not only a declaration that its scraping activities were not hacking but also an order banning LinkedIn from interfering.
A trial court sided with hiQ in 2017. On Monday, the 9th Circuit Appeals Court agreed with the lower court, holding that the Computer Fraud and Abuse Act simply doesn't apply to information that's available to the general public.
"The CFAA was enacted to prevent intentional intrusion onto someone else's computer—specifically computer hacking," a three-judge panel wrote. The court notes that members debating the law repeatedly drew analogies to physical crimes like breaking and entering. In the 9th Circuit's view, this implies that the CFAA only applies to information or computer systems that were private to start with—something website owners typically signal with a password requirement.
Information wants to be free.
Court: Violating a site's terms of service isn't criminal hacking
A federal court in Washington, DC, has ruled that violating a website's terms of service isn't a crime under the Computer Fraud and Abuse Act[*], America's primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.
[...] rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs' proposed research wouldn't violate the CFAA's criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn't become a hacker simply by doing something prohibited by a website's terms of service, the judge concluded.
"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.
[...] This isn't the first time a court has held that violating a website's terms of use is not a criminal hacking offense. In 2009, a California federal judge rejected a CFAA prosecution against Lori Drew, a woman who contributed to a MySpace hoax that led to the suicide of 13-year-old Megan Meier. Prosecutors had argued that Drew violated MySpace's terms of service.
In 2014, the Ninth Circuit Court of Appeals—which includes California—rejected another CFAA prosecution based on a terms-of-service violation. In that case, an employee had used a valid password to access confidential information, which the employee then used in ways that violated the employer's policies.
A 2015 ruling by the Second Circuit Court of Appeals interpreted the CFAA in a similar way. It overturned the conviction of a cop who had used a police database to look up information about women he knew personally. While his creepy behavior violated police department policies, the court held, that didn't make it a violation of the anti-hacking law.
"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," the appeals court concluded.
China clamps down in hidden hunt for coronavirus origins
China clamps down in hidden hunt for coronavirus origins
MOJIANG, China (AP) — Deep in the lush mountain valleys of southern China lies the entrance to a mine shaft that once harbored bats with the closest known relative of the COVID-19 virus.
The area is of intense scientific interest because it may hold clues to the origins of the coronavirus that has killed more than 1.7 million people worldwide. Yet for scientists and journalists, it has become a black hole of no information because of political sensitivity and secrecy.
A bat research team visiting recently managed to take samples but had them confiscated, two people familiar with the matter said. Specialists in coronaviruses have been ordered not to speak to the press. And a team of Associated Press journalists was tailed by plainclothes police in multiple cars who blocked access to roads and sites in late November.
More than a year since the first known person was infected with the coronavirus, an AP investigation shows the Chinese government is strictly controlling all research into its origins, clamping down on some while actively promoting fringe theories that it could have come from outside China.
"Picking Quarrels & Provoking Trouble" - China Slams Journalist With 4 Years in Jail Over COVID Reporting
"Picking Quarrels & Provoking Trouble" - China Slams Journalist With 4 Years In Jail Over COVID Reporting:
At the beginning of the pandemic, the Communist Party filled the airwaves with positive headlines about how well it was mitigating the virus' spread. The Chinese government also went on a censoring spree, removing online content posted by journalists or citizen-journalist who reported firsthand accounts of the public health crisis unfolding in Wuhan, China, the epicenter of COVID-19. The government even went to the extent of detaining people who reported on the crisis, alleging they were spreading lies.
Citizen journalist Zhang Zhan is the first known person to be handed a four-year jail term for her reporting in Wuhan.
Zhan provided firsthand accounts of overcrowded hospitals and empty streets that challenged the government's official narrative.
She was convicted on Monday at the Shanghai Pudong New Area People's Court for "picking quarrels and provoking trouble," according to Reuters.
The verdict is a warning to all journalists in the country that the communist government is coming after those who exposed their shortcomings during the initial months of the virus outbreak. More importantly, Zhan's case shows the government has a zero-tolerance policy for critics.
"You have not converted a man because you have silenced him."
-- John Morley, 1st Viscount Morley of Blackburn.(link)
Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Security Researchers and Everyday Users:
EFF has long fought to reform vague, dangerous computer crime laws like the CFAA. We're gratified that the Supreme Court today acknowledged that overbroad application of the CFAA risks turning nearly any user of the Internet into a criminal based on arbitrary terms of service. We remember the tragic and unjust results of the CFAA's misuse, such as the death of Aaron Swartz, and we will continue to fight to ensure that computer crime laws no longer chill security research, journalism, and other novel and interoperable uses of technology that ultimately benefit all of us.
[...] Today's win is an important victory for users everywhere. The Court rightly held that exceeding authorized access under the CFAA does not encompass "violations of circumstance-based access restrictions on employers' computers." Thus, "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him."
https://arstechnica.com/tech-policy/2022/04/linkedin-cant-use-anti-hacking-law-to-block-web-scraping-judges-rule/
In a case involving LinkedIn, a federal appeals court reaffirmed Monday that web scraping likely doesn't violate the Computer Fraud and Abuse Act (CFAA).
The ruling by the US Court of Appeals for the Ninth Circuit drew a distinction between data that is password-protected and data that is publicly available. That means hiQ Labs—a data analytics company that uses automated technology to scrape information from public LinkedIn profiles—can continue accessing LinkedIn data, a three-judge panel at the appeals court ruled:
DOJ Announces It Won't Prosecute White Hat Security Researchers:
On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA).
The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."
[...] For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that "Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work."
Andrew Crocker, a senior staff attorney on the EFF's civil liberties team told Motherboard in a statement "We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on 'unauthorized access'—deters researchers from discovering and disclosing vulnerabilities in these systems."
He said that the new policy does not go far enough. "By exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform."
The announcement provided an example of the sort of 'research' that would be considered bad faith and could still face charges. "Discovering vulnerabilities in devices in order to extort their owners, even if claimed as 'research,' is not in good faith," it reads.
The ScheerPost is running a tribute to the late Aaron Swartz ten years after his untimely death on 11 January 2013.
Jan. 11, 2023 marks the tenth anniversary of the death of Aaron Swartz. Swartz had a prolific career as a computer programmer: At the age of 12 he created The Info Network, a user-generated encyclopedia widely credited as a precursor to Wikipedia. Swartz's later work would transform the internet as we know it. He helped co-found Reddit, developed the RSS web feed format, and helped lay the technical foundations of Creative Commons, "a global nonprofit organization that enables sharing and reuse of creativity and knowledge through the provision of free legal tools." In 2011, Swartz was arrested and indicted on federal charges after downloading a large number of academic articles from the website JSTOR through the MIT network. A year later, prosecutors added an additional nine felony counts against Swartz, ultimately threatening him with a million dollars in fines and up to 35 years in prison. Swartz was found dead in his Brooklyn apartment from suicide on Jan. 11, 2013. TRNN Editor-in-Chief Maximillian Alvarez speaks with the co-hosts of the Srsly Wrong podcast, Shawn Vulliez and Aaron Moritz, about the life and legacy of Aaron Swartz.
Viewers can learn more about Swartz by watching the documentary The Internet's Own Boy, and reading his "Guerilla Open Access Manifesto."
Previously:
(2021) Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Researchers and Users
(2021) Supreme Court Reins in Definition of Crime Under Controversial Hacking Law
(2018) The FBI Secretly Collected Data on Aaron Swartz Earlier Than We Thought—in a Case Involving Al Qaeda
(2014) The Aaron Swartz Documentary: Review
Federal Court Says Scraping Court Records Is Most Likely Protected By The First Amendment:
Automated web scraping can be problematic. Just look at Clearview, which has leveraged open access to public websites to create a facial recognition program it now sells to government agencies. But web scraping can also be quite useful for people who don't have the power or funding government agencies and their private contractors have access to.
The problem is the Computer Fraud and Abuse Act (CFAA). The act was written to give the government a way to go after malicious hackers. But instead of being used to prosecute malicious hackers, the government (and private companies allowed to file CFAA lawsuits) has gone after security researchers, academics, public interest groups, and anyone else who accesses systems in ways their creators haven't anticipated.
Fortunately, things have been changing in recent years. In May of last year, the DOJ changed its prosecution policies, stating that it would not go after researchers and others who engaged in "good faith" efforts to notify others of data breaches or otherwise provide useful services to internet users. Web scraping wasn't specifically addressed in this policy change, but the alteration suggested the DOJ was no longer willing to waste resources punishing people for being useful.
Web scraping is more than a CFAA issue. It's also a constitutional issue. None other than Clearview claimed it had a First Amendment right to gather pictures, data, and other info from websites with its automated scraping.
Clearview may have a point. A few courts have found scraping of publicly available data to be something protected by the First Amendment, rather than a violation of the CFAA.
Democracy Now has a brief interview with a representative from Reporters Without Borders (RSF) on their latest attempt to meet Julian Assange inside Belmarsh high-security prison in the UK. Despite being granted approval, the RSF secretary-general and executive director Christophe Deloire and the others with him were denied entry. No other non-governmental agency has been able to meet with Assange in the last four years either.
CHRISTOPHE DELOIRE: So, what happened is that in the past years we requested to be able to visit Julian in his jail. We got an approval recently, which was confirmed on March 21st with a number, an official number, for myself and my colleague, Rebecca Vincent, and we were invited to come to the prison.
And when we just arrived, the guy at the desk, when he saw my passport, he suddenly was very stressed, and that taking a paper on his office — on his desk, and that read it, saying, "According to Article" — I do not remember the number of the article, but according to this article, "you are not allowed to visit Julian Assange. This is a decision that has been made by the governor of the Belmarsh prison, based on intelligence that we had" — I quote him — "that you are journalists."
And it doesn't make sense at all, first, because, personally, I've been a journalist since 1996, and we were vetted, so it was never a mystery that I was a journalist, never a secret. Second, my colleague wasn't a journalist herself. And we came here not as journalists, but as representatives of an international NGO with a constitutive status in many international organizations. So it was really as Reporters Without Borders representatives, not as reporters covering the case. So, it doesn't make sense for this second reason. And there is a third reason for which it doesn't make sense, is that already two journalists, at least, have been able to visit him in jail in the past four years. So —
Previously:
(2022) Biden Faces Growing Pressure to Drop Charges Against Julian Assange
(2022) Assange Lawyers Sue CIA for Spying on Them
(2022) Julian Assange's Extradition to the US Approved by UK Home Secretary
(2021) Key Witness in Assange Case Jailed in Iceland After Admitting to Lies and Ongoing Crime Spree
(2019) Top Assange Defense Account Suspended By Twitter
(2019) Wikileaks Co-Founder Julian Assange Arrested at the Ecuadorian Embassy in London
(2015) French Justice Minister Says Snowden and Assange Could Be Offered Asylum
And many more.
(Score: 0) by Anonymous Coward on Sunday March 17, @01:38AM
As of last year, Carlson no longer works for Fox, so if it came to a counter suit against him, I wonder if Fox would pay the legal bills now?
(Score: 3, Insightful) by JoeMerchant on Sunday March 17, @01:55AM (1 child)
Can a website be likened to a private residence, or it it more of a public store?
>And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
So, if you walk up to a private home, twist the unlocked doorknob and walk in, I believe most people (and jurisdictions) would consider that unacceptable trespass...
However, if you are in a commercial area and you do the same on an unmarked door - that doesn't feel like trespass to me... due to the setting, the owner of the door should reasonably expect passers by to attempt to enter (exceptions for doors with signage forbidding entry, etc...)
But, in this great land, anybody can sue anyone for anything, and if you're good at venue shopping you can make just about any flimsy argument stick well enough to at least harass your victim all the way to appeals court.
🌻🌻 [google.com]
(Score: 2) by ChrisMaple on Sunday March 17, @02:27AM
This isn't just a case of "anybody can sue anyone for anything"; this is the government bureaucracy (and in all likelihood its leadership) abusing its power to persecute its opponents. We're slipping deeper into tyranny every day.