...the defense expert investigators wrote that they "do not consider the NIT to be 'hacking'" because the NIT "exploited a configuration setting that did not require offensive-based actions."
But you'll get maliciously prosecuted for guessing a sequential URL and typing it into your address bar thanks to CFAA...
The use of malware itself isn't really the legal reason why this is questionable. You can get a warrant to hack someone.
Just like busting down a door and taking someone's stuff is burglary, but a cop can do it with a warrant.
The legal reason for why this is questionable is because typically the judge can only issue warrants for people or places inside their state. The problem is that the rule was written before the internet.
It totally falls apart with TOR because law enforcement and courts can't even figure out where the server is. So this leads to an interpretation of the law where no court in America can issue a search warrant on a .onion address. That is absurd. There is no policy or legal reason to justify giving someone like a child porn distributor a free pass merely because they use TOR.
I'd actually argue that the search is valid if the state has a TOR access node located within it because the .onion address is what is being probed via TOR. It's essentially acting on behalf of the server. But many would disagree with such a broad reading of the rules. And it would be hard to draw a line between TOR and an old ISP network.
If your ship sails under the flag of country X, then it is generally country X's navy that has the authority to keep you in line in international waters. So pick a country like the Bahamas (where the ship in the story was flagged) whose navy rarely leaves their territorial waters, and you can literally get away with murder.
> The law does not have to abide by the law, only has to appear to do so.
Given that weev's conviction was overturned for the prosecution not abiding by the law, while that may be true in some abstract sense, it doesn't seem particularly relevant to weev's case.
> But you'll get maliciously prosecuted for guessing a sequential URL and typing it into your address bar thanks to CFAA...
I don't know that you can say "thanks to CFAA" for a prosecution that was not -- per the appeals court that threw out the resulting conviction -- carried out properly.
I'm not sure if you're unfamiliar with the Weev case, or trying to make it sound like it was more complicated, but if you look at the reasons why he was originally convicted, it was specifically for typing in a URL and "gaining access" to data that was publicly available on a website.
He incremented a number in a URL, and that was his ultimate crime.
Do you honestly think it's right to send someone to jail for several years because they were messing around with a URL?
Of course he likely deserved to be charged with something, but not what he was charged with, and it hurts the rest of us when things like this set a bad precedent.
This is exactly like saying that someone convicted of trespassing had an ultimate crime of "turning a doorknob", ergo we should all fear for our ability to turn doorknobs. No, that's not how it works. The state must prove not just action, but intent.
Well, its not that similar, in that weev's conviction was overturned on appeal based on improper venue, with the appeals court also quite skeptical (though, as the improper venue was sufficient to dismiss the conviction, not stating an authoritative conclusion on this point) as to the sufficiency of the evidence to support the charges.
Both the people arguing for and those arguing against the result in weev's case seem to be forgetting what the final result actually was.
I'm sorry but I don't see what this has to do with the point I raised. I am very familiar with Auernheimer's case, so if you could spell out in more detail what you're objecting to, I'm pretty sure I can follow along.
The point I was making upthread had less to do with Auernheimer's case than it did with the silly notion that the case turned on "incrementing a URL".
> The point I was making upthread had less to do with Auernheimer's case than it did with the silly notion that the case turned on "incrementing a URL".
Your rebuttal seemed to be based on the premise that the conviction turned on more than action, but substantive evidence of intent.
My response addressed the fact that, while the conviction was dismissed for procedural reasons, the appeals court also appeared skeptical of the substantive result the same reasons that the critics here are -- that the evidence did not appear sufficient to show the intent.
You were responding argumentatively to people who were clearly making a normative argument about the trial conviction (and also blaming the CFAA for it); and it seemed like you were making a contrary normative claim about that conviction; if you were intending merely to argue that the actual structure of the CFAA didn't support the conviction so that the blame-attachment was misplaced, that didn't come across clearly to me.
But if that's what you were saying, then, yeah, there's nothing really to argue about.
>He incremented a number in a URL, and that was his ultimate crime.
IANAL, but the way I understand it, it's not about the method that you used to access the system. Even if someone was highly incompetent and left their system open to being accessed, the fact that you accessed it knowing you shouldn't have is the actual crime.
After all, even if someone leaves the doors and windows wide open to their house, it's still illegal to go inside if you don't have permission. In this case they left the URLs open to be accessed, but it was clear that that part of the website wasn't meant to be accessed by the general public and the prosecutors were able to convince a jury/judge that weev would have reasonable known that.
I walk up to a grocery store with automatic doors. The lights are all on. The doors open. I walk in. It's 8am.
This grocery store has two sets of doors, about 200 feet apart. At the other set of doors there is a sign that says that the store doesn't open until 9am.
That is a poor analogy. I'd say it's more like walking into the back room of the store even though the door was wide open, and then snooping around in there. That is trespassing.
I actually think it's the perfect analogy. It's a robot that does exactly what you tell it to do. If you apply power it'll open for ANYONE and if you don't apply power, it doesn't.
I can't see a better analogy for the webserver that revealed confidential information as someone who accidentally left the automatic door on. It opened when the owner didn't want it to, but you can't blame the user of an automatic door for taking its working as some kind of implied permission. If the owner of said automatic door didn't want it to open he or she had only to switch the door off to make their desires translate 100% into real action.
Where things get dicey is that there are certain customs and tradition and clues regarding whether a store is open or not. If the lights are off and it's the middle of the night and there are no cars in the parking lot and etc, it's probably not open and the door opening is probably a mistake, not on purpose.
The internet does not provide any kind of context clues like this, except perhaps for robots.txt and that doesn't apply to humans!
Again IANAL and trespassing is a different law than the CFAA, but if the prosecutors could reasonable prove that it wasn't an honest mistake and you were knowingly going into the store when you're aware it's not allowed, then yes I think you could be charged with trespassing.
Like say you're an ex-employee who for some reason wants to go look at the schedule (maybe your stalking one of your old co-workers). If you walked in knowing the store was closed and you shouldn't be there, then I have to imagine you'd be arrested and charged with trespassing amongst other things.
Both deal with unauthorized access and intent don't they?
The point I'm trying to make is that it's VERY difficult to divine intent in the absence of any kind of access control.
In other words, given my above example and that's all the information you have, you can't prove that I intended to trespass. Now if the doors didn't open automatically and there was a broken lock, it's much easier to determine intent.
But in Weev's case, there was no broken lock because there was no lock at all!
Going strictly from the evidence we can surmise that AT&T didn't INTEND to prevent unauthorized access because they did nothing to prevent it.
We always delve into ridiculous analogies on this site for some reason when it comes to this case, trying to somehow justify that someone, knowingly, was accessing a system they, again knowingly, knew they should not have been accessing.
Status codes, locks, no locks, these silly analogies aren't really useful. Proving intent is.
So prove the intent. Prove what was going on inside his head. Prove that he didn't merely SUSPECT that he shouldn't have had the information, but that he KNEW he shouldn't.
The reason that things get so silly is that it's very difficult to prove intent in the absence of any kind of access control. If he had bruteforced an admin password, the intent trail is there to be found. If he had done SQL injection, again, it's easy to argue intent. If he had physically broken into the building and stolen paper documents, again the intent is easy to discern.
I would argue that it's akin to finding an unmarked binding lying in the street with absolutely no way of telling whose it is, and what it contains. You open it and don't see anything that says "AT&T confidential information" and start paging through it. How could you possibly be convicted of a crime for that? I know there's criminal "finding" whereby you don't try hard enough to return something to someone that's obviously lost it. But that doesn't apply in this case because the binder in question isn't marked in any kind of meaningful way. Even if it had a header or footer or cover or something that said ANYTHING then I'd be persuaded differently.
But leaving a web service with confidential information on the internet with no access control, I might argue is criminal negligence.
You can keep arguing the semantics which sound great on a discussion forum, but it really has no bearing when it comes to the law. Intent matters, and he was found guilty of accessing a computer with authorization. You wouldn't be found guilty of such if you stumbled upon such system by accident and then turned around and left it along.
Comments here keep clinging to some black/white technical reason to decide this case due to willful ignorance, or hope that it can be true, but really it isn't like that at all.
> Intent matters, and he was found guilty of accessing a computer with authorization.
Right and a lot of people are saying that it's a miscarriage of justice to prosecute someone based on implied knowledge or assumed knowledge.
It wasn't proven the same way you can prove a great many other things. A jury was convinced of something, and that doesn't constitute actual proof. Just because the government says something is true doesn't make it so.
> This is logic that says that SQL Injection is fine, so long as the HTTP request bearing it elicits a 200 response.
For my tastes, this is actually a reasonable configuration of things.
Nobody is forcing you to use HTTP. If you decide to, and you provide access to your database via HTTP, and you allow me to submit a payload which makes changes you don't like, you are welcome to stop me and issue a 403. It's your database, after all.
This whole controversy seems like a way of shifting blame for security failures from the parties who actually failed to people who were uninvolved in the implementation and just happened to be the first (or the first noticed) to use applications in a way unintended by the designers.
>This whole controversy seems like a way of shifting blame for security failures from the parties who actually failed to people who were uninvolved in the implementation.
That's basically victim blaming though. If someone commits a crime against you, we don't let the criminal go free just because you were inept or negligent in preventing the crime. In a sense they committed a crime against all of society by breaking our laws. It would be ridiculous to start applying laws based on whether the victim did enough to prevent it. No one should be allowed to break the law no matter how easy and vulnerable a person leaves themselves open to it.
Not really. Nobody's blaming AT&T's CUSTOMERS for doing anything wrong. They are the victims. They are the ones who had their personal information made available to people outside of AT&T.
This might better be called perpetrator blaming. The perpetrator is the person who commits a crime. AT&T had an obligation to keep customer data safe regarding the privacy policy that they tell customers that they will uphold. They failed to uphold it in any kind of meaningful way, by failing to provide any kind of access control to said personal information.
Calling it victim blaming is to fail to apply any kind of critical thinking to the situation.
This is basically a blanket decriminalization of all computer intrusions, since virtually all hacking boils down to access to a computer in an "unexpected" way.
Again, that simply isn't how the law works. I see you all around this threat repeatedly trying to reason about half a criminal charge: the actus reus used to gain access to computer system. It makes no sense to think of this particular crime that way; you need the other half of the charge, mens rea, the knowing intent to do something with a computer that you aren't authorized to do.
The problem is that, at least for the moment, AI doesn't have a discernable (or even arguably cognizable) mens rea.
So how do we craft laws for a world where very nearly all the network traffic consists of machines talking to each other, learning, and talking again?
You keep pointing me to "how the law works," but I've said in four different messages now that I understand that - I'm pointing out that the law, as written, doesn't work.
I don't think there is a place for government as we know it - much less the completely shamed criminal justice system - on the internet. These institutions can go peacefully and with dignity or they can be stubborn and destructive, to the detriment of humans everywhere.
The more people try to justify their behavior and normalize their insanity, the more likely the latter scenario becomes.
OK so give me all your personal info to put on a public webpage that says "by CFAA using this info is a crime" and since intent and law are the absolute arbiters of justice no harm should come to you right?
Of course harm will come to me, the point is that those doing the harm should still be held accountable if they're caught.
Yes the law is far from perfect and it's easy to imagine absurd scenarios like yours where the law falls apart. Certainly that should be fixed. But in this particular case Weev knew he was going onto a portion of the webpage that wasn't meant to be public, even if technically anyone could access it because of AT&T's ineptitude. There weren't any links to that exact URL, and in a sense it took some reverse engineering (ok basically just guess and check) for him to find it. It wasn't a public webpage in the sense that he stumbled upon it from some link or a google search. He put thought into purposefully discovering that exact URL and opening it, knowing as a computer security enthusiast that it wasn't meant for public consumption.
I'm afriad I have to respectfully disagree with the idea that "he should have known better".
Most analogies fall flat because webservers do EXACTLY WHAT YOU TELL THEM even if what you tell them to do isn't what you actually want them to do.
Our laws are generally organized around the idea of reasonable adults doing reasonable things and being understood by other reasonable people. The average, reasonable person can't comprehend a webserver.
If you give a robot a gun and tell it to shoot anything that comes through that door and it shoots your wife/husband/child/parent, its not them who is at fault nor is it the robot. Its your fault and you should be tried for murder.
>The average, reasonable person can't comprehend a webserver.
But weev could. We don't apply laws as if the defendant is some mythical "reasonable" person. We try each case based on it's unique circumstances. It's not that he "should have known better", it's that he absolutely did know better.
> But weev could. We don't apply laws as if the defendant is some mythical "reasonable" person.
What weev could or could not do is 100% irrelevant. What matters with regard to the law is what a reasonable person would do. That's literally a thing.
>> This is logic that says that SQL Injection is fine, so long as the HTTP request bearing it elicits a 200 response.
For my tastes, this is actually a reasonable configuration of things.
Nobody is forcing you to use HTTP. If you decide to, and you provide access to your database via HTTP, and you allow me to submit a payload which makes changes you don't like, you are welcome to stop me and issue a 403. It's your database, after all.
Nobody is forcing you to use a door. If you decide to, and you provide access to your home via door, and you allow me to open the door and do things you don't like, you are welcome to stop me by locking the door. It's your house, after all.
You cannot say that issuing a 403 instead of a 200 is OK but turn around and say unpermitted access (what should give a 403) is okay so long as you are given a 200 in response, even if by accident.
If door is locked > return 403 else return 200
The only difference is that the 403 and 200 are implicit with the door being locked or not, rather than an explicit response from door since door is incapable of giving a response (unlike server). Although both server and door are handled by a human.
The shared point of failure is how the human configured the server//door to return a 403/200//unlocked/locked status to individuals other than itself.
Forgetting to lock your door, failing to set -NOACCESS for ${Robber}, is exactly like forgetting to disable the -READ flag for ${User}. Therefore, the configuration is not reasonable.
It's the entire metaphor that's broken, so the fact that you can vaguely map "locked" to a properly functioning auth system and "unlocked" to an unintentional 200 response is irrelevant.
My neighborhood is not the internet. There is no written, unambigous protocol which my door implements in order to accept or reject guests. In fact, my door isn't programmed to issue responses of any kind; a human or even an answering system might do that, and yes, they might plausibly grant access.
More important is the reverse: the internet is not your neighborhood, and mapping the laws (both legal and social) on a 1-to-1 basis in an effort to recreate the norms of your neighborhood on a worldwide telecommunications system is really inane. I can't for a second make sense of it, much less what lessons it provides us for the proper legal and moral framework to accompany HTTP.
Your analogy doesn't really compare as it involves identity fraud.
>You go to the front desk, tell them you're me and get a key to my room.
This would be the equivalent to using an Admin username/password to login to the server at which point you are given permission flags (-access wallet). Logging in with the Admin username/password without permission is against the law - so regardless if you take the wallet or not you broke the law.
You leave your wallet in your hotel room. I go to the front desk and ask them for a key to your room. They don't question me or verify my identity and simply hand over the key.
Would you be angry at the hotel for not verifying who the person is or why they need a key to your room?
Why does it matter whether he'd be angry at the hotel? We're talking about the person who exploits the hotel's lax security to steal from him.
Impose civil liability on people with terrible security. Fine. That's an orthogonal issue, though. There's no reason you can't do both things, and most reasonable people can imagine a variety of things people might do with computers that they'd expect and want to be criminalized.
Only if you're willing to federally prosecute every person who ever told a website that they were over 18 or 21 if they were not in fact over 18 or 21. Fraud is fraud and justice is blind, right?
If justice is blind, then they are the same thing! They are willfully ignoring or choosing not to obey the rules that society has agreed upon for all people.
If you want to argue that different crimes are different I'm all for it. But if you're going to do that, then please explain to me how Weev not releasing the information publicly is so heinous as to deserve years in prison and a fine worth a substantial fraction of a house.
I don't understand why everyone in this message thread is being so obtuse about how he accessed the site. It DOESN'T matter what method you use to access the system under the CFAA. The thing that matters is intent.
If you disagree with that then fine. And whether anyone can actually prove beyond a reasonable doubt what someone's intentions are is infinitely debatable. But the fact of the matter is that the prosecution proved in a court that weev knowingly accessed a portion of a computer system that he knew wasn't meant to be open to the public and that he knew he did not have authorization to access. It doesn't matter that all he had to do was type in a URL. He knew those URLs weren't meant to be accessed by him, or at least that's what was proven in court.
I'm not really trying to get into a debate about whether the CFAA is a good law, I don't really think it is. But there's certainly evidence that weev broke the law as it's currently written. Yea he got a 200 status code back and we can endlessly debate whether that should mean someone is given permission to access the site. But I think, and the jury/judge agreed, that weev wasn't just poking around their website thinking that those URLs were open to the public. I mean come on, this wasn't just some random user who happened to type in a URL not knowing what it was going to access. Weev knew what the fuck he was doing. Whether there's actually enough evidence to prove that is of course up for debate, but as the law is currently written I think he was guilty.
> He incremented a number in a URL, and that was his ultimate crime.
What ultimate crime? Are we forgetting that weev's conviction was overturned on appeal, indicating that it was a result of legal error. There was no crime. Not in a "well, some people on the internet think he shouldn't have been convicted" sense, but in a "the legal system has authoritatively declared that his conviction was in error" sense.
I'm very explicit about telling my kid exactly that. I point out his behavior, I point out how I sometimes do almost exactly that, what's bad about it, and I remind him that just because I do something doesn't make it right.
Because I'm not setting switches on my son module, I'm trying to influence a human being toward a good direction, despite my failings.
Wait, so my grocery store posts their add every week and as I get to the last page and I want to jump back to the front, I usually change the .../16.html to a .../1.html. I could go to prison for that?
TF!? When are lawmakers going to learn how the web works?
1. Imagine a row of doors. The owner of the rooms behind the doors has given you permission to walk into any of the rooms. You enter one of the rooms. You then wish to go to the next room. You notice that there is an interior door connecting the two rooms, and so you go through that instead of going out the front door of the first room and in the front door of the second room.
You are not trespassing because you have permission to be in any of the rooms.
2. Imagine another row of doors. The doors have keypad locks on them. You find out the codes for a few of the doors and notice they are sequential, and so you can guess the codes for all the doors. You do not have permission to enter any of the rooms, but since you have figured out the codes you go ahead and enter.
You are trespassing, because you do not have permission to enter the rooms. It doesn't matter that the protections the owner put in place to keep you out were easy to bypass. In fact, if the owner had not locked the doors at all, you'd still be trespassing.
3. Imagine a third row of doors. They are locked. The police obtain a warrant to search one or more of the rooms. To enter the rooms they break the locks.
They are not trespassing, because the warrant gives them legal permission to enter the rooms.
What you are doing on your grocery store website is like #1.
The case the parent comment to yours was talking about is like #2.
The case the article about is like #3, although some are arguing that there are problems with the warrant that might invalidate it, which would make the case closer to #2, and would lead to exclusion of any evidence gathered under that warrant.
This analogy is severly flawed, to the point of being essentially irrelvant.
There are no locks involved here, in any way.
Let's work with this row of doors analogy. The owner has invited the world to the building this hallway resides in, and has posted a list somewhere that told you about a few of the doors in this hallway. You notice there are other doors too, inbetween the doors you were told about and you enter them.
That's really a far more accurate analogy. Locks require an active attempt to prevent access. Not finding the exact url as link elsewhere is extremely far from an active attempt. There's really no reason to believe the owner has any less intention for you to see it than say, the home page, which you probably accessed through a third party or by typing the url directly.
Case 2 is being given a large lists of doors thousands you can go into, following the list on floors 1 and 2 noticing door, and then going to floor three and going through a door without verifying off your list.
And Case 3 is like the police breaking a lock to enter a door and then insisting they didn't break the lock. They may have legal authority to break the lock, but they still broke the lock.
The relevant part of the CFAA, chopped up for readability:
> Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section.
That requires both intent and access in excess of authorization. So since 1.html is a public page, you're authorized to read it. If 1.html was the personal information of the customer with ID #1, as in the AT&T case, that would violate CFAA.
Also notable is the definition of a "protected computer." It's any computer "which is used in or affecting interstate or foreign commerce or communication," which is every computer connected to the Internet.
The pages containing personal information of AT&T customers were publicly available though. We have already seen that an overzealous prosecutor will construe regular access as "without authorization or exceeds authorized access" whenever convenient.
As with everything in law, intent is key. Just because something can be accessed by the public, does not mean it is intended to be accessed by the public.
Opening it up so that anyone who visits a link sees it?
Or actually giving the link to someone to post in public.
If the latter, I have a website that one could visit but which I have never given the link out for. It seems absurd that it would be considered hacking to just visit the front page of my website whose link I have never given out but which you can guess. (0 content website of which I never actually finished designing.)
I think that's why intent is the important part of the applicable law. If I went to your website without knowing I wasn't meant to access it, then I wouldn't be breaking the law.
If however you could prove in court that my intention was to access the website without your permission than I would be breaking the law. Certainly it would be very difficult to prove my intent, and there's probably nothing about your website that would make it clear I wasn't meant to access it. But if you had a bunch of private user pages that I somehow figured out how to get to even though it's apparent that I'm not meant to have access to, then I could be prosecuted for that.
I think it's a terrible grey area that this law leaves open, but alas that's how it is for now.
Skeptic in me says this is just a nice way for AT&T to defer blame for not securing their customer's information.
I've poked around websites, just to see what all is available, just by guessing URLs. I never had intention of getting anyone's personal data, of course. But, really, who hasn't done this?
I would question whether the AT&T case involved "access in excess of authorization". I feel like the merest attempt to implement some access control would be necessary for that.
I think he was doing enough other things that I'm not crying a river that he got punished, but IMO it sets a bad precedent.
That's a little too extreme, but you could imagine a real example not far off. In the case where they used 13.html to list their secret cost of goods and omitted it from the button controls, skipping from 12 to 14, and you typed 13.html, then used that information to set prices for your own wholesale business, there's actually a chance you could actually get in trouble for it.
This is reminiscent of the 2013 takedown of Freedom Hosting.[0,1] Exploiting a JavaScript vulnerability in Firefox, compromised sites dropped a Windows executable (“Magneto”) which phoned home (bypassing Tor) with the user's MAC address and hostname. Gareth Owen identified it as EgotisticalGiraffe,[1] which is an NSA tool.[2]
>The NIT exploit bypassed Tor by creating a direct socket connection that eschews Tor's routing—in this particular case, by using a Flash component. This functionality, the experts noted, was identical to Metasploit's decloaking code.
Anonymous used the Metasploit code in a previous attack on Freedom Hosting. Both vulnerabilities used against Freedom Hosting have long been patched. I wonder what vulnerability this takedown exploited. One of the Hacking Team ones, maybe?
Er, no, since the whole HT leak happened within the last two weeks and this operation took place mostly between 2014 and early 2015.
You give the Government wayyyy too much credit if you think it can go from leaked exploit to arrests generated from said leaked exploit within a two week period. The process, like all processes quagmired in bureaucracy, takes months.
While I'm sure that's the rationale, I wonder if there is a difference. If the FBI seized drugs and then continued to sell them, isn't that against the law? If the FBI seized a computer and used to to distribute child porn wouldn't that also be against the law? I can see not seizing it and allowing the original operators to continue for 2 weeks.
Does the FBI operate under different laws? For example, if I know my neighbour is hosting child porn on their computer and I wait 2 weeks to report them, probably I'm safe. If take his computer and host the files on the same machine for 2 weeks before handing it over to the police, I'm pretty sure I'd be arrested. What law is different for the FBI to be able to do that (if they did)?
I think there is a pretty strong case that those are different.
In the case of selling drugs (assuming that drugs are harmful, and so on, which is obviously debatable), then selling and delivering the drugs to users causes tangible harm that wouldn't happen without the sale of the drug.
In the case of child porn, the child porn has presumably already been created - they're not filming new child porn and distributing that, I presume. So the bulk of the harm is already done. The direct harm from pedophiles downloading that porn and viewing it is minimal. The problem with the child porn is that it needs to be filmed/created in the first place, which involves child abuse, a direct and immediate harm, and that people who enjoy child porn are asserted to eventually graduate to abusing children themselves (a more distant and hypothetical harm, which is negated by arresting those people after having identified them).
So, whilst I also dislike the police's actions in corrupting tools useful for free speech, I don't see that letting the server run for another two weeks to identify more users, and actively selling and distributing drugs for two weeks, are equivalent.
You're right that it may not be morally equivalent, but that's not really relevant to the legal analysis. Possessing and distributing child porn is a crime, regardless of whether you believe it directly causes harm. So the grandparent's question remains: Does the FBI operate under different laws?
There are laws which set out exceptions to other laws. Law enforcement agencies "qualify" for these exceptions in the actioning of their duty if and only if they are respecting any limitations present in those exceptions and all law not explicitly updated by those exceptions.
Though I'm no lawyer, nor am I even an American, so what do I know?!
As a related-but-not-really-directly for instance: in the UK the emergency services (including the police) have exceptions allowing them to break certain driving related laws, but while doing this they must display their presence obviously, with at least the flashing lights and where necessary their sirens, so other road users are aware that a speeding vehicle may be about to enter their locality and can safely respond to that circumstance. The blues and twos are not just to get people to move out of the way, they are to inform other road users that you are there and may be speeding or performing other manoeuvres that are not normally permitted (or, at least, are generally frowned upon). Though while the exceptions allow breaking other rules in certain circumstances, there are both specific exceptions to the exceptions (there are limits to how fast the police can go in urban areas and so forth) and they are always couched in wording that means that general due diligence must be followed (the police are expected to use their judgement so even if operating within the set limits they could be reprimanded & charged if they cause damage/injury/death and it is successfully argued that no reasonable person would have taken the offending action under those circumstances.
Of course with agencies like the FBI there is a greater level of secrecy, so enforcement is more difficult. Who watches the watchers when the watchers can arrest/detain/prosecute you for watching?!
Depends to what extent. A cop who is being reckless to the extent of putting others at harm should be charged with such a crime. It is like when a cop goes to shoot a suspect without any concern as to who is behind the suspect. Cops are allowed to break laws, but only when they do not cause direct and significant harm to someone.
For example, taking drugs is legal for an undercover cop. Forcefully drugging some bystander is not.
>> Should a cop get a ticket for chasing a speeder?
A cop does not get to go speeding on the highway in order to sneak up on speeders from behind. (s)he does get to break the law a bit (speeding) once a speeder has been identified in order to catch them. Unfortunately the justification for this seems to be that it's the most practical way to catch them. I don't mind the practice, but I'd prefer a better justification. Got one?
I see, so in that case I guess prison guards should be sent to jail for kidnapping and holding people against their will. I mean, if you're going to take your reasoning to its natural conclusion...
Hint: violence is not illegal per aw, it's only illegal when done by someone other than the state, in a way that violates the laws of the land. To exist, a state must maintain a monopoly on violence - and in order to maintain that monopoly it must from time to time use or at least threaten violence. At least, that's how it works today. Perhaps in the future that will change...
It is in the interests of society that its police be held to the same rule of law as everyone else, or to an even higher standard.
But in this case, it is equally legal for a prison guard to hold a duly convicted criminal against his will as a private citizen, because the criminal's right to roam free was suspended by judicial order in the sentencing phase of his trial.
The logical standard for permitting police to engage a fleeing suspect with a high-speed chase is by determining that the suspect would present a greater threat to the public if allowed to escape than the damage that could occur during the pursuit.
Since innocents have been killed in the past by both fleeing suspects and police pursuit vehicles, one might suspect that police would only start a hot pursuit for known-violent murder suspects, and for everyone else, radio in a description of the vehicle and its passengers so that other cops further ahead of it can block traffic or throw down spike strips. Unfortunately, this is often trumped by the de facto "adrenaline standard".
The fact of the matter is, cops who speed can be ticketed for it. But then the cop who issued that ticket to another cop is overwhelmingly harassed by her peers as a "traitor" to the cop culture. (search: florida "donna watts" "fausto lopez" 2011) The net result is that police are held to a lower standard of law than everyone else, and that creates a culture of corruption.
>> I see, so in that case I guess prison guards should be sent to jail for kidnapping and holding people against their will. I mean, if you're going to take your reasoning to its natural conclusion...
Exactly! How did you guess I'm against forced imprisonment and consider it kidnapping?
The answer, unequivocally, is yes. More precisely, they operate under different sections of the same laws that you and I do.
Police conducting undercover operations frequently break the law. For example, they might bribe someone, or pay money for stolen goods. They may even use illegal drugs.
Yes, imagine if undercover cops weren't allowed to abuse a child. All a drug lord would have to to figure out if someone was a cop was ask them to abuse a child and then shoot them in the head if they refuse. Sure there is probally a false positive issue but I doubt they care.
Of course, you're assuming that the undercover drug lords are intelligent. Is this the case? Have they figured out how to make efficient use of the information resources at their disposal? Intriguing question.
> If take his computer and host the files on the same machine for 2 weeks before handing it over to the police
Your example is different as you haven't gotten approval from the law enforcement authorities, like they claim to have gotten in the GP's quote. I'm sure that if you ask before acting upon it your chances of being arrested are a lot lower, and although they would probably revoke your request, they might allow someone else more apt for this (e.g. FBI)
Not trying to be snarky, but I hope the justice system doesn't work so that to break the law all I have to do is get permission from the police... What I would like to know is what law allows them to make this kind of decision.
Ah. Well, I guess if it gives itself permission, that's okay then. We wouldn't want them to need consent of the governed or anything. They might say no!
Cute cynicism, but you elect representatives who in turn appoint people to positions of authority. That's how this works. The laws are created and managed by people put into power by the governed.
I understand that may go against your Freshman sociology 101 libertarian mantra, but the real world has already sorted this out and it tends to work pretty well.
> The laws are created and managed by people put into power by the governed.
I see from the apparent sincerity behind your comment that I have lived in Chicago, and you have not.
The way the system works is that you vote, the government pretends to care what you think, and it continues to do whatever the hell it was doing as before, only with minor tweaks to its public relations budget. It's still better than the alternative, which is an armed regime controlling your life without pretending to care what you think.
Libertarian fantasies notwithstanding, most people need to join an armed cartel in order to realize a better quality of life, and no one really benefits from whitewashing over that. The real world reads Machiavelli, a Modern Approach, and the politics of money, fear, and control are now very nearly perfected.
It works "pretty well" only for a minority of wealthy backers. It's very easy to find someone faring worse than you under the prevailing political system. In 4000 years, the mechanics of human political power structures have remained largely unchanged, while technology has improved by many orders of magnitude.
The FBI guidelines for undercover activity, including a specific discussions of permissions required to undertake criminal activity, and which activities are not allowed, are covered here: http://www.justice.gov/ag/undercover-and-sensitive-operation...
No, because drug dealers are not directly harming people and they are running it. It would be like a murderer being given aid to murder more people while they go after the people at the top. Which is horrendous. And which, if I remember correctly, has happened.
Do you really have a problem with that? They didnt make the porn. It's not like removing it would prevent it from being made in the first place. They were capturing information on additional pedophiles. In what world are you trying to frame that as wrong.
If serving up the material isn't directly harmful to a child, it should be protected under the First Amendment to view and possess (not talking production).
If serving up the material is directly harmful to a child, then the FBI was engaging in abusing children.
The FBI wants to claim it is the second case when anyone else is doing it but the first case when they do it.
Do the ends justify the means?
If you're okay with the FBI running a child porn server, are you okay with the FBI creating a child porn server?
How about the FBI creating its own child porn, just to catch pedophiles?
How about the FBI selling drugs just to catch drug users?
You are grasping at straws. Yes I am OK with the FBI temporarily leaving a child porn server up to capture more pedophiles. No I am not OK with the FBI creating child porn. Use your brain. These aren't even close to the same thing.
Yet the whole reason it is illegal to possess is because possession is considered a direct act of harm against a child comparable to (though not as severe as) production.
Freaks don't automatically become cyber crime experts. Otherwise they'll likely be using browser inside VM that only have access to TOR proxy and no connection to real internet.
It's not that simple. Using the Tor browser bundle, there is no protection against phone-home exploits outside the browser. Firewall rules would prevent them, but that's up to users. Far better is to use Whonix Tor gateway and workstation VMs in VirtualBox. The workstation VM has no Internet connectivity except via Tor running in the gateway.
Using the Tor browser bundle in Windows is especially risky. The FBI has relied on Firefox bugs and dropped Windows executables. In the Freedom Hosting case, the FBI used a Firefox vulnerability that had just been patched in Tor browser a week or so before.
>Using the Tor browser bundle, there is no protection
Of course not, which is precisely why running Flash is ludicrously stupid.
Nobody is claiming that the "victims" of these other exploits are stupid -- just the ones who installed and used Flash (and probably had to deactivate noscript in the process).
And more to the point, any remotely reasonable person will RTFM (at least superficially) before using a tool to do something highly illegal. Not doing so is the very definition of stupid.
it's pedophiles, not tech experts or even users. I would guess a lot of them don't significantly use their computers, and only got someone to show them the whole tor thing, or watched a youtube video on it or something.
It's still possible to make Flash plugin work in "Tor Browser", at least it's was possible in past. And there is many ways to trick somebody install and activate plugin.
Reconfiguring a security tool without reading the FM, and then using said tool to commit a federal-pound-me-in-the-ass-prison-crime is mind-bogglingly stupid.
These people lack even the most basic forms of common sense.
These are people that were using said security tool for one of the worst possible uses imaginable not security experts or even what most people would call "power users". IF they had common sense they wouldn't be looking up pictures of kids in the first place.
As someone else pointed out they probably got told about Tor to avoid being caught either on a a really creepy message board or wherever it is creeps hangout (the 70's wire frame glasses and fanny pack store?), watched a youtube video or read a text file/readme that has been passed around on these boards or whatever. They likely have very little actual computer knowledge.
Or they are mundane people who wants to discover tor. It happened to me (20 years ago). Hopefully the hard disk where the picture has been stored (during less than one minute, before I removed it) does not exist anymore.
If one were to take a look in the long run, what does it mean to the software industry as a whole that bugs are being exploited by script kiddies to mess around, protesters who want to block access in order to raise awareness, criminals that want to steal money or trade illegal content, police that want to catch criminals, secret police that want to keep track of everything a population does, spies that want to keep track of everyone, and military that simply want to break things and take down the bad guys. Each and everyone depends on the same software bugs being unpatched and kept a secret.
Regardless of the cause, is anyone else considered with the legal precedents they are setting to catch pedophiles and drug dealers?
Legally, there is no real difference between doing this to catch those sorts of people and doing it to de-anonymize whistleblowers under the guise of "National Security" who use Tor to relay such information to the press. :/
You're absolutely right. Legally there is absolutely no difference between busting pedophiles on Tor and busting "whistleblowers" talking to the press, legally speaking. No difference. It's legally the exact same.
Semi-related question: If I write a spider for Tor and my spider collects CP (NOT by design but just in the course of spidering) how responsible am I for:
* Having that data in my DB
* Showing said site in search results
I assume the answer is something like: "You're not as long as when you do notice it you report it and then delete it off your servers (Maybe also blacklist the Tor URL so it doesn't get re-spidered/indexed).
I haven't written anything to do this but the concept is extremely interesting to me but I'd hate to write something, let it run, forget about it (keeping it running or just holding on to the data if I ever want to do something with it), and then getting in trouble down the line for having CP or other illegal material. I've tried googling for this but couldn't find anything good.
TL;DR: Are search engines (On the web or Tor) responsible for the content of the sites they index
I'm glad they busted them but hopeful that using the technology to stop clearly bad guys does not lead to abuse of the ability to use the technology on a wider basis. It probably will though eventually. It would be great if use required the consensus of at least three courts and one of them federal.
But you'll get maliciously prosecuted for guessing a sequential URL and typing it into your address bar thanks to CFAA...