This is the perfect example of what happens when a programmer (or in this case a mathematician) thinks that the law operates like a computer.
It doesn't.
The law is interpreted by humans, based on case law, and attempts to understand the intentions of the law as written.
Many programmers don't like this, but that is how the law operates.
(If the author would like to go down another rabbit hole, perhaps he should consider if encrypted information is actually published at all. After all, well designed encryption renders information quite close to random noise in the absence of a key. Perhaps making encrypted information available isn't actually publishing - maybe it is the act of posting how to decrypt it that is the act of publishing.
Note that here, the law would answer "it depends", and that is fine.)
It's the same instinct that leads to things like the sovereign citizen movement that thinks they can avoid going to prison for tax evasion by referring to themselves as JOHN SMITH, INC. in court documents.
It also has something in common with the well known xkcd comic with the punchline "why does your field need a whole journal".
It is possible to for clever legal arguments to do fairly amazing things. When Richard Covey invented the Grantor Retained Annuity Trust (GRAT) he all but repealed the estate tax for large estates. But it takes a hell of a lot of knowledge, hard work, and luck to come up with something like that. It's not the type of thing that's at all likely to happen when you haven't even bothered to study the area of law and learn the terms of art or read the case law and instead just google up some statutes and apply "common sense".
Clever legal arguments win individual cases. They don't change things very much. Change comes when those cases are adopted or, in the the case of GRATs, not immediately shot down by the legislature. It is not the lawyer that initiates the change. He or she provides the option and the larger society either adopts it or not. GRATs (and similar schemes) exist because they are tolerated. Covey's real innovation was in convincing the right people not to move against GRATs, and in gauging the mood of the country at the time. I wouldn't recommend going out on such a limb without appropriate backing. Politics isn;t meant to influence individual cases, but any widespread change beyond the single case is nothing but.
And the follow-up article, which discusses the usual objections that programmers have to the original article: http://ansuz.sooke.bc.ca/entry/24 . Particularly noteworthy is a comment from a lawyer that a key misunderstanding among programmers is that in law, the humans and their social interactions are the first-class entities of the system, not second-order distractions as they tend to be in engineering. This was a very enlightening moment for me in my journey towards understanding why the law seems so absurd from a mathematical perspective.
I think this article does a fantastic job of illustrating why legal problems (determining or enforcing the Colour of something) can never possibly be solved through the use of (colourless) technology - the two are fundamentally incompatible. This is, for example, the reason why DRM has never ever stopped people from sharing copyrighted works - because DRM is trying to solve a legal problem (the Colour of bits) by using a function of those bits (technology), it is destined to fail.
I would add the concept that the law, unlike software, is capable of openly defying logic. Courts are permitted to dismiss case law and rule in a completely new and unforeseen direction. That's how caselaw evolves. Someone breaks the pattern and, should others agree, that new thinking is adopted as new law.
All the important case, all the ones lawyers rely upon in arguments, began with a court or judge breaking from the pattern. That's why they progress up to higher authorities. That's why they supersede previous caselaw.
Legal rulings and statutes, etc. are pretty far removed from the type of deductive logic that can be "openly defied" in the sense that busted math calculations or if>then statements can be self-evidently wrong.
For example, the case Olmstead v. U.S. was a big deal in the 20s when the Supreme Court said the fourth amendment protection for "persons, houses, papers, and effects" didn't apply to taps on telephone wires. I disagree with that result not because it "openly defies logic" but because my understanding of the underlying importance of privacy is at odds with those of the justices. That's not a dispute about logic, it's a disagreement about values.
It's not like you have overturned the parallel postulate, the old mathematical system where it is true still exists, so it doesn't seem similar at all.
> if encrypted information is actually published at all
Given the arguments surrounding searches of "private papers", I'd analogize 'publishing' an encrypted SSN to be somewhat like putting a document in the public square... in a safe.
Exactly. With a sufficiently powerful telescope, I can read an SSN printed on paper through the window bounced off the reflection from your watch from a mile away. But we wouldn't call that publishing.
I don't think that's true. I think there are phenomena like scattering and the diffraction limit that come into play that keep you from doing that.
Unless you're watching one of those stupid TV shows where they make this look easy. Just call up something on the screen and say "enhance". Then zoom in again and "enhance". Until you get the result you want. The problem is those scenes are written by liberal arts TV writers who didn't even pay attention to science in grade school.
It's not real world physics as I understand it. But, as Dennis Miller used to say, "I could be wrong". I'd welcome a pointer to some scientific explanation of how it is possible.
The argument that programmers are ridiculous pedants who don't understand anything and should leave the law to The High Priests Who Really Understand These Things seems to get more than its share of support, but is that what's going on here?
Suppose there is some thing the law says you can't publish. You encrypt it with AES, throw away the key and then publish the ciphertext. It's not at all clear that the law is going to punish you for that -- nobody can read the information anymore, so whatever evil the law was intended to prevent is not occurring, and anyway the government is going to have a hard time proving their case since without the key they can't actually prove what the ciphertext is.
Now suppose you do the same thing but instead of AES you use 40-bit DES, which anybody can easily break with modern hardware. Now you're arguably publishing the thing, and the government can prove what the ciphertext is, so the outcome could be different. But that wouldn't have been the case in the 1970s when computers were slower.
So what is it about the conclusion that the law could depend on the state of computing power and algorithms that you find so implausible?
Not implausible, but... uninteresting. It's like saying, if you shoot someone wearing a bulletproof vest, and the vest is able to absorb the impact and prevent serious injury, the law considers that one thing; but if the shot is too powerful for the vest and kills the person, the law considers that another; therefore the law depends on the state of armor/weapons technology. Sure, it does depend on it, but only indirectly insofar as it affects the outcome the law really cares about. In my hypothetical, that's whether you caused someone to be hurt or killed; in yours, it's whether you caused someone unauthorized to read the data to be capable of reading it.
The difference is, the technology can change underneath you.
For example, suppose Comey succeeds in mandating encryption backdoors. Then the backdoor gets compromised and published. You suddenly have an obligation to use an encryption mechanism you know is compromised to transmit things you have an obligation to keep secret. Catch 22.
In theory a court might realize the absurdity of that situation and let you out of one of the obligations, but how do you know which one it will be? Or that they won't still demand that you do both, effectively requiring you to shut down your business until the government changes the law?
The focus on computing power misses the forest for the trees. It's not about available computing power. It's about the intent. If you know decryption is possible, then "wink wink, it's encrypted" is a poor argument that the data wasn't published.
And now you've got yourself some trouble, because the intent for publishing the free speech flag can reasonably be as criticism of laws purporting to make certain information illegal. Then you're publishing political speech which is a whole different ballgame.
But the better point is that people have become quick to dismiss the math, as if facts and logic and reality are irrelevant to the law. The law has to live inside the universe. It has to do something when the problems the math proves can happen actually do.
So for example, the xor situation is interesting. If you xor with random bytes, the result is indistinguishable from random and is capable of encoding literally any information of equal or smaller length -- at the same time -- by changing what you xor it back with. So A xor B is the Declaration of Independence while A xor C is DeCSS, C xor D is the Bill of Rights and C xor E is a trade secret document.
Now suppose there are some websites allowing anyone to publish xor-encoded data (or arbitrary data). Somebody uploads A to one such website and C to another. Anybody who asks about A, you can show them B and it encodes the Declaration of Independence. Anybody who asks about C, you can show them D and it encodes the Bill of Rights. So now A and C are being published by separate sites, each is indistinguishable from random, but xor them together and you get DeCSS.
DeCSS is being published, but who is publishing it? Who can be forced to remove their half, when doing so would also delete arbitrarily many instances of lawful speech that require the same random bytes (and could be the only copy)? What is the status of B and D, given that you can xor them with public documents to get back A and C? What if you can prove that A is preexisting and C is derived from DeCSS and A? What if there is no way to prove which existed first?
If somebody does this, there has to be an answer better than hand-wavy dismissal of inconvenient math.
Your XOR case is exactly the same example as the OP posted, just that the encryption algorithm involved the XOR operation, random bytes and another document.
In court the judge would attempt to judge the intent of each person involved and rule based on that. You seem to think this is a problem, and indeed it is hard. That why the law uses judges rather than attempting to legislate every possible example.
But the better point is that people have become quick to dismiss the math, as if facts and logic and reality are irrelevant to the law. The law has to live inside the universe. It has to do something when the problems the math proves can happen actually do.
No. This is the key thing you are missing. Elsewhere on this thread someone put it like this: "I would add the concept that the law, unlike software, is capable of openly defying logic. Courts are permitted to dismiss case law and rule in a completely new and unforeseen direction."
The Law is lazily evaluated, in a specific court, in the context of a specific case. It does not follow that the logic in one case applies in another - sometimes it might, sometimes it might not, and things like the intent of the people involved matter.
> Your XOR case is exactly the same example as the OP posted, just that the encryption algorithm involved the XOR operation, random bytes and another document.
It isn't. If you encrypt something with most algorithms, there is going to be one key that turns it back into something intelligible and all the others produce garbage. That isn't the case with xor. Different "keys" will produce different intelligible decryptions.
> In court the judge would attempt to judge the intent of each person involved and rule based on that. You seem to think this is a problem, and indeed it is hard. That why the law uses judges rather than attempting to legislate every possible example.
The hardness is the problem. Suppose somebody sends you a DMCA takedown for what appears to be random numbers, arguing that if you xor it with some specific other random numbers you get infringing content. But that proves nothing because it's true for everything, so what are you supposed to do? What is the judge supposed to do?
> No. This is the key thing you are missing. Elsewhere on this thread someone put it like this: "I would add the concept that the law, unlike software, is capable of openly defying logic. Courts are permitted to dismiss case law and rule in a completely new and unforeseen direction."
How is that supposed to solve anything? The problem isn't that the court is going to come across "this statement is false" and have a meltdown, the problem is that we can't predict what the court is actually going to do so we don't know how to behave if we want to stay within the law.
And furthermore that there isn't anything good for the court to do. Of course the court is not required to do something good, but how is it OK when they do something bad?
> You do, as soon as you're pointing someone towards C.
By this logic pointing out that there are drug dealers in Detroit is distribution of narcotics, pointing out that there is money in a bank is conspiracy to commit bank robbery, publishing a vulnerability is publishing everything on every system with that vulnerability, etc.
It's also an obvious practical problem since you've reduced the resources necessary to publish something from having to host a multi-gigabyte piece of content and have enough bandwidth to distribute it to millions of people, down to distributing a couple of hyperlinks. Which you might do with a mailing list or RSS feed that all the interested parties will then already have a local copy of before anybody can do anything about it, or from a different jurisdiction because transit from overseas is no longer prohibitively expensive.
> One of the main errors techies make about the law is that they tend to see a problem to prove something as fatal to a law.
It's supposed to be. If you can convict someone without proving their guilt then you can convict anyone regardless of their guilt.
You're pointing to C because you want people to xor it with A (and you're probably telling them that, too).
When I say "there are dealers on the corner", I don't want you to buy drugs.
When someone else says the exact same thing, he might want you to buy drugs.
He and I are treated differently by the law.
Ad the second point: no, it's not!
You've got it the wrong way around. I'm not talking about convicting someone wihtout proof. On the contrary, I'm saying that the fact that we cannot prove every murder does not mean that the murder statute is fatally flawed and must be repealed.
> When I say "there are dealers on the corner", I don't want you to buy drugs.
> When someone else says the exact same thing, he might want you to buy drugs.
> He and I are treated differently by the law.
And that's where the whole thing falls apart. Because it means there are circumstances that allow someone to tell people where they can buy drugs, so the person who wants to tell everyone where to buy drugs can pretend to be doing it for the same reason you are.
I can come up with some plausible valid intentions for doing the xor thing, but lets use the real case. DMCA 1201 prohibits trafficking in circumvention tools. Intent doesn't matter, because there are very obvious legitimate non-infringing uses for "circumvention tools" and nothing about the tool changes based on the intent of the user, so allowing circumvention tools for non-infringing uses would allow them to be widespread (which they are anyway, but never mind that now). However, prohibiting circumvention tools for non-infringing uses may be unconstitutional.[1] So intent has to matter but if intent matters then in practice that law can't be effective. Which means we shouldn't have that law.
> I'm not talking about convicting someone wihtout proof. On the contrary, I'm saying that the fact that we cannot prove every murder does not mean that the murder statute is fatally flawed and must be repealed.
The problem isn't with statutes where you can't prove every instance, the problem is with statutes where every perpetrator can make themselves look like an innocent person and the only way to convict them is to make an assumption that would also convict the innocent people.
If you uploaded both A and C (or equivalent), then you clearly published DeCSS. That's not a very interesting scenario. It doesn't matter which file was random. It's like being unable to prove which hand you used while robbing a bank.
If they uploaded at the same time, then both are guilty of conspiracy. If they uploaded at different times, then at minimum the second one is guilty.
There might be other factors to take into account that change that result slightly, but it's not really different from a crime that doesn't involve computers.
> If they uploaded at different times, then at minimum the second one is guilty.
You're assuming that you know which one the "second one" is.
The "first" file may have originally been hosted somewhere else or distributed privately. Some hosts don't keep high granularity timestamps or any timestamps at all, or the user may control the timestamp. How do you know who was first?
I don't think that is the exact intention of this article. It could very well be that the author knows that law is interpreted by humans and does not function like a computer. The purpose of the article is to present a fresh interpretation of the law taking into account advancements in technology, of which many people in our judicial system lack sufficient understanding.
> The law is interpreted by humans, based on case law, and attempts to understand the intentions of the law as written.
So what you are saying is that "loopholes" in the law actually don't exist, because those loopholes run counter to the intentions of the law? Interesting!
Generally speaking, "look! I found a clever loophole in the law!" - as performed by any layman who doesn't actually understand the legal system - leads to getting smacked by a judge for being an annoyance.
The term "loophole" doesn't refer to what we programmers would think of as implementation bugs; nobody is, e.g., dodging taxes by saying "these rules are for salaries under $100K, these are for over $100K, I'm making exactly $100K so I don't have to pay anything nyaah." It refers to what we programmers would think of as design bugs: the intent of the law does not cover the situation at hand, and it is not a judge's place to say, "Hm, I guess they meant to write a law about this."
A good example is the backdoor Roth IRA, which lets you exceed the Roth contribution limit by transiting your money through a traditional IRA (which has no limit) and then converting it to a Roth IRA (which has no limit). It's well-known that you can do this, and the legislature has had plenty of opportunities to put a contribution on either of these two steps. But they haven't. It would contradict the will of the legislature for a judge to say, "Look, obviously they didn't mean that," because at this point if they meant that they would have said it.
> This is the perfect example of what happens when a programmer (or in this case a mathematician) thinks that the law operates like a computer.
> It doesn't.
It's illogic, inconsistent and incomplete, is that what you are trying to say? Or is there some higher order logic that computers can't calculate?
> and that is fine
From your description of what the law should be, "fine" could mean anything. Should I attempt to understand the intentions? Perhaps you are saying, you yourself don't have an issue with it, but that is not generalizable. In my own terms, that's an opinion. And that's a matter of fact. Albeit, I'm bad with maths and computers, so I can't prove it a fact.
Formal logic can only be applied to precisely stated prepositions.
Formal logic would lead to bad things, for example, imagine a state bans sex with animals. You'd be guilty of having sex with your wife because she's an animal.
The law isn't precisely stated so formal logic is the wrong tool.
Law uses different sorts of logic. If you are curious, take a look at LSAT questions. That's the sort of logic and reasoning lawyers value.
Great point and well said. Except I'd add that the LSAT is heavily focused on deductive, formal logic (particularly the logic puzzles section) and most of the rest is semantics. That's very removed from what lawyers actually do (which I think you described well, it's just that the LSAT isn't very representative of that).
Formal logic is taught in law school and humans cannot but employ it, it's encoded in our brains.
The lack of definitions, the fuzzy logic is the problem. Yet, I am often amazed by accurate law codes, and I am far more astonished by how wrongly I and others use those words contrary to their original usage. I accept that words are defined by their usage. I cannot accept competing definitions. Point in case, I wouldn't say humans are animals, and historic usage proves me right AFAICR from reading on free will etc. At best, a human is a mammal. But you seem to want to use the word differently, so, I agree that this doesn't really work.
It is not illegal to publish a social security number. Watch this:
268-91-7112
That is a social security number, but I guarantee you I will not be prosecuted for publishing it. What is illegal is publishing the binding between a particular social security number and a particular person.
Geeks get way too hung up on this idea that publishing these things should be OK because "they're just numbers." No, they are not "just numbers". They are numbers with some associated semantics. This number is Bill's SSN, that number is Sony's secret key. It's the semantics that matter, not the number.
The point was that you can either make the binding cost no computational resources for the reader (by publishing and the binding in plaintext), or you can make it cost some mild amount of computational power (say, put it in a list of 20 fake numbers), or you could make it computationally infeasible by encrypting it. Is the second option illegal? At what computational difficulty does it become illegal?
Either way, the fact that the third is legal means that the law depends on compute power.
There are interesting paradoxes though when you mix "legalistic" and "geeky" worldviews. :P E.g. let's say somebody publishes the statement "one of the prime factors in Bill's SSN is 7"... and then someone else, independently... ;P You get the point! :)
Then you look at them, determine their intent (to publish Bill's SSN) and punish them or not accordingly. That's the point of the legal system and judges - as opposed to computer code they actually tend to try and determine intent as an important part of a ruling.
> Then you look at them, determine their intent (to publish Bill's SSN) and punish them or not accordingly.
That sounds like a very pragmatic view of the legal system. I'm more idealistic so I'd rather say that you have to "prove" (rather than "determine") their intent before you can punish them. ;P
Look, I'm not saying you're wrong, but there absolutely are times when the "geeks" win. For example consider export control for cryptographic algorithms which was thoroughly ridiculed by "geeks" [1] and later scrapped IIRC.
The problem is, the intent of such action is, most probably, to just fuck with the law (requiring it to solve the task it can't work on, because its from the different realm[1]), not to publish Bill's SSN.
Legal system may try to handle the issue - in this particular case, it's possible to just ignore the primary intent and decide whenever an intent to publish did exist instead - but sometimes it just fails. I think that's, for example, how PGP source code was exported, working around munitions export laws.
[1] It must be dual. In a same manner formal logic can not be always applied to the realm of legal affairs, laws may malfunction when asked to handle problems from the domains they don't really map to.
Well, I remember that being part of the contention. Sony said, "we've patented it". Everyone else said, "how can you have patented it, when you won't tell anyone what it is!?". Or something along those lines.
I think at the time what I found ridiculous was that you were prohibited from "having" the number, but of course nobody could say what number it was you weren't allowed to have... seemed like something that belonged in Dr. Strangelove.
Calling an SSN "a number" is reductionist even for a programmer. Does open() return an integer or does it return a file descriptor? Is it okay to do arithmetic on it and expect sensible results because it's just s number? In fact, programmers go out of their way to add a rich set of semantics and behaviors to things that are, under the hood, just numbers.
"now that it’s public, you have to wonder whether this will bite me in the ass when I’m 60 (...) and my identity gets stolen"
Could someone from the US care to explain why publication of these numbers is such a big deal, and why it can lead to identity theft (an idea that I see often on the internet)?
In Spain we have a unique ID number and it is pretty common to see them published all over the place. The government and administrations routinely publish lists of people with their name and ID number, for example if you have applied for a public sector job, a government grant, etc. your ID number will be published in a list that everyone can see and even find on Google. We don't see it as a problem because knowing someone's ID number doesn't mean you can steal their identity - to do that they would need to forge the actual ID card, for in-person procedures, or steal passwords or keys, for online stuff. Knowing the number alone doesn't give you access to anything. In fact, it is publicly known that the current king has the ID number 15 and the former king 10 (number 1 corresponded to dictator Franco who created the system), but it's not that easy to go around impersonating the king :)
What can you do if you know a person's social security number in the US?
I'm Spanish too, so hopefully I can explain. The problem is that everyone treats the SSN as if it were a secret number known only to you, so they use it as both an identifier and an authenticator. In Spain, however, most people know to use the DNI number as just an identifier, using other methods (most typically, physical presentation of the ID card) for authentication.
A social security card is not identification. It has no photo on it. Yet, as others here are saying, many organizations use the number itself as identification when it was never intended for that purpose.
Perhaps the answer lies in the fact that the US has no national ID. IDs are issued at the state level and the details vary from state to state. This helps make it easier to forge identification because locals will not be familiar with the standards of all fifty states. So, due to the lack of a national ID, we use the federal social security number in a manner it was never intended to try to fill in this hole in our system.
The political organization of the US is a little bit like the EU rather than a country per se. Each state is a little bit like a separate country in some ways. There are overarching federal laws, but a lot varies from state to state, just like a lot varies from country to country in the EU.
A huge number of firms treat the SSN as "private" and having knowledge of an SSN proves that you are that person. It's not what they were designed for, but good luck explaining that to the electric company and the gas company and the credit card company and the bank...
"What can you do?" With Duke Energy, the electric provider in my last apartment complex, you would have absolutely no problem registering for electric in someone else's name and having them on the hook for it if you knew their SSN.
For some reason a lot of businesses treat SSN as a secret password. Our numbers aren't supposed to be published, but they are used so often they aren't really secure.
You can do stuff like apply for lines of credit using a SSN. If you use my name and my number its presumed to be me applying for the credit.
Credit theft. People can acquire a credit card by mail or online.
That's interesting... in Spain does getting credit require an in-person appointment? Because maybe that's a simple answer to 2/3 of the identity theft in the U.S.
AFAIK yes, it always requires an in-person appointment directly or indirectly.
There are some online banks without offices, but typically they are subsidiaries of physical banks, or they have deals with them, so they will only give you credit if they have seen you at the physical bank first.
In Brazil, I can get some credit lines (usually small) by just spending more than I have on the bank, for others (a bit bigger) I'll need to enter my pin number either on a phone or an ATM, and for big credit lines, I'll have to go to the bank.
That's credit from a business you have an account with. In the US, I can often get credit from a business I have had no prior contact with with just my name and SSN. Recently, there may be multiple choice identity verification questions (pick where you used to live, what other credit accounts you have, how much their payments are, etc).
The US doesn't have good standards around this for everyone, for a variety of reasons.
You can use an SSN to map to an existing credit file. From there, you establish accounts with places with poor verification practices and use them to move up the food chain.
Some states historically were very week in verification for state ID -- best case you have an audit able link between a birth certificate, lease and/or parental affidavit. Few people can be linked to a biometric. (Other than headshot photo)
SSN alone isn't thaaat bad but if you have someone's birthday and SSN you can for all intents and purposes do anything. Those two combined are basically the only proofs of identity that anything asks for. Only thing you can't do is get a passport and in some states (most now I think) you can't get a drivers license.
The trouble with this logic - to which I am not entirely unsympathetic - is that under it, a computer program binary would also constitute an "illegal number". "You've copied Microsoft Office!" "Nonono, that's just a very large number in binary."
The actual answer is: the law is all about intent.
I desperately want to read a lawyer's answer to the questions raised by the author. My bet is that most of the gray areas exist simply because no cases involving them have been litigated. If such cases ever go to trial, courts will probably rule in a rather common-sensical way, such as by creating a bright-line rule[1].
Lawyer answer (in general terms and without citations):
All intellectual property rights are limitations on free speech. Courts rule against the publication of exact copies, or identical copies in different media, every day. IP law requires courts to prevent copying else it be meaningless. The flag is not an expression of a new idea, it is a facsimile of a protected number, protected data little different than a copyrighted movie or patented design. Its publication could only be legal as some sort of "fair use", but exact copies that directly impact the financial viability of protected material rarely fall within fair use.
They would rule against the flag. If persons want to express themselves using this material, they need to add some form of comment so as to avail themselves of fair use protection. Add a stripe to the flag and get back to us.
There is a minimum bar for what is a protectable "work" under copyright. It also has to be creatively produced, not machine generated in singles. (Not taking about collections here)
Rolling a die and publishing a number between 1 and 6 is not copyrightable.
Would a single number of 20 bytes be a "work?" Even if it's almost certainly generated through strong random? That seems unlikely.
What Sony could do would seem be civil action under "trade secrets" and/or the EULA.
What about the computational power question? At what point does it become illegal to publish an encrypted SSN/illegal number if you know it takes 1 day to break the encryption using current computational power? What about 10 days? a year? ten years? a hundred years? a thousand years? And what if computational power changes, and a thousand years turns into 1 day? Does the action become illegal retroactively?
Those are meaningless questions. It's trivial to think of 100's of hypos and go 'is this legal? Is that legal?' 1000's of first years do that every year because they think that's what being a lawyer is about, not to mention the amateurs. A judge however considers one specific case, with arguments as to what is the objective reality as presented by the parties. 'What ifs' don't matter. Law is not a closed rule-based system. 'Loopholes' (I loathe thay word) are not like buffer overflows.
Wait, but aren't so many of the important US supreme court rulings so contested because they have to consider the ramifications, e.g., of whether a ruling will take power away from the state and give it to the federal government? How is that not a "what if" scenario? Isn't the Baston rule just a big loophole?
Appellate courts get to make such considerations, but not the lower court. The lower court judge can say "I believe the facts say X and therefore law Y should apply" but the appellate courts can say that the interpretation or Y or even law Y itself is incorrect and tell the lower court judge to reconsider the outcome of using law Y in that manner given facts X.
This is why companies with weak crypto can perhaps avoid liability for disclosure, because the crypto shows that they "intended to" protect the information, and it's not zero work to break, even if it's /now/ cheap.
You have to look at the procedures for moving against the publisher. Until someone actually reads the material, it isn't going to be a criminal matter. It would be like dumping shredded classified material. There is no crime there, until someone proves that they can piece it back together. Then you have published (distributed).
In the civil world, the issue would be one of harm. You aren't going to sustain a lawsuit unless you can state some harm. So long as nobody can read the encrypted material, there is no harm. But as soon as someone does you've got a case to bring.
There is an interesting statute of limitations question here as to when the clock starts, but that is a minor procedural issue imho. Many such statutes start not at the wrongdoing, but at the realization of the harm (or reasonable time of realization).
At some level, laws inherently have to be up for interpretation, and operate on some level of abstraction above the intimate details - because virtually everything in life is a spectrum, including the applicability of a given law. In the “fringe zone” in which it's not clear whether a law applies or not, judges have to resort to individual judgement on a case-by-case basis.
This is not something that's new or unique to technology, although technology does a fantastic job of illustrating the difference between a legal problem and a technological problem - as well as the different mindsets you have to approach both with.
Social security numbers are in the uncanny valley between something private enough to be plausibly used as a shared secret and public enough to be exploited widely. There is really only one effective solution to this: Make all SSNs public and therefore useless as a secret key. All the services that are currently (ab)using this number will find alternatives.
My (excessively hermetic) message was meant to mean: "All the SSNs will one day be public. Even if the legislator does not make them public, they will leak one day anyway."
SSN is only one example. All your medical records, your entire genome can be represented as a number. Does that suddenly make it acceptable to publish?
Any information can be rendered as a number. The whole idea that there's something special about numbers that makes them different from other kinds of information (i.e. it's OK to publish this "because it's just a number") missed the point rather badly.
>The case was eventually settled out of court, but the question remains whether it’s illegal to publish a specific number on the internet. The law currently seems to agree with Sony, that free speech doesn’t cover Hotz’s case.
> One counterargument is that if a specific number is illegal to publish, then so is anything derived from that number. An excellent example of this is the Free Speech Flag
There's obviously a huge difference between publishing a number and publishing a number with a message next to it saying "this number is the password for X". Clearly the intent of the law is to stop the latter.
The main problem is that parts of our society still treats social security numbers as off they were passwords.
However, they are short, uniquely assigned, and not changeable - which means they are user names (identifiers.)
(Same thing with finger prints, BTW.)
Meanwhile, designing systems that can uniquely identify consumers/customers/employees/suppliers/students with a generally unique ID world lead to a reduction in error rates and increased efficiency.
Security must be solved with told designed for it (state issued signing key/device?)
It doesn't.
The law is interpreted by humans, based on case law, and attempts to understand the intentions of the law as written.
Many programmers don't like this, but that is how the law operates.
(If the author would like to go down another rabbit hole, perhaps he should consider if encrypted information is actually published at all. After all, well designed encryption renders information quite close to random noise in the absence of a key. Perhaps making encrypted information available isn't actually publishing - maybe it is the act of posting how to decrypt it that is the act of publishing.
Note that here, the law would answer "it depends", and that is fine.)