Context is important in law. It's not illegal to change your mac address or wear a ski mask. It can be illegal to do both of these things while committing other crimes.
I'm really sick of these sensational posts/comments showing up on HN. I know, I'm not supposed to complain about quality of posts or comments but the past week has really changed my view on the current state of HN. Witch hunts, sensational stories, jumping to conclusions, hating the law/government, etc. Let's go back to technical news.
Interesting post. Not sure if your point is to dispute the OP or to whine about HN but to be safe I'll comment on both :-)
The OP is alarmed at the use of common privacy enhancing techniques (of which wearing a ski mask is one) which allows a prosecutor to 'enhance' the charges against someone to increase the threat level. They are also alarmed that non-technical people cannot see that changing your MAC address is just "easy" for a technical person to do as holding one hand over the other as you type in your PIN at the grocery store, and equally innocuous. Nobody disputes that 'changing your MAC address' should not be considered as evidence of intent when prosecuting a crime, but there is a lot of dispute as to whether that action in and of itself rises to the level a crime in its own right. This is what the OP fears will happen, and there is some evidence to support that.
That takes us to your second paragraph which talks about how painful it is for you when others express their emotions with respect to the events of the past weekend (and to be clear other events like it). Generally, yes, HN is a community of technologists and technology enthusiasts who discuss the merits or lack thereof of various technology trends, events, and personalities. That said, it is also a community of people. People can often discuss dispassionately about topics that are at arms length, but the weekend case struck close to home for noticeable fraction of the hundreds of thousands of people who visit this community. They need time to process these events, and one way they process them is that they talk about them.
My point is that it helps to appreciate that others may be more affected by recent events than you were and this is their way of processing their emotions. No need to whine about it, you can take a break from HN for a week or so until it winds down. When things are continued beyond their reasonable lifetime they tend to get moderated down. Patience.
A minor quible, since it seems to be confusing people elsewhere in the thread. It isn't illegal to change your MAC address at all per se. It's illegal to access a network without permission. All the MAC spoofing did was help prove mens rea, that Aaron knew that the people in charge of the network were trying to keep him off of it when he accessed it anyways.
By analogy, there's nothing illegal about entering a building through the window. But if you try the door of a random and find it locked and then enter through the window that's still trespass. But if you make a habit of always entering buildings through open windows when they're available so you never try the door you might be able to argue that you didn't know the building wasn't public. At least, you could try to argue it to a jury and depending on the circumstances I guess it might work.
You have completely and absolutely missed the point.
Changing MAC addresses (upon every restart) is something I do too. It is an extremely easy thing to do. That such an obvious thing will effortlessly add to a list of charges, amplifying the prosecutor's case for no good reason, is what the issue is.
The most frustrating thing about your comment is your condescending attitude. It's exactly this kind of behavior that is sliding us down a path of draconian laws that will in the end harm us all. Please think before going off like this.
There are very real problems with our laws. That Aaron was facing 35 years in prison for what he did is very clear evidence of that, and this is far from the only broken law.
While hating on the system can be done in stupid ways, ignoring these sorts of things doesn't make them less real.
Besides that, this sort of thing fits the criteria for submissions on HN. I'd even go so far as to say that this is more appropriate than the latest news about incremental changes in X.
That is exactly the thing that drives charge inflation. You don't just get indicted for committing a crime, you also get charged with walking the streets while intending to commit the crime, wearing the pants with intent to commit crime, not telling the policemen you're going to commit crime, using your laptop in committing the crime, using public airwaves while committing crime, concealing your identity with criminal intent, etc. etc. That's where 30-year charges come from. I think it does indicate serious problem - why changing MAC address should be a felony in any context? If somebody did something evil and changed MAC address - convict him for something evil, not for changing MAC address. Only reason I see why such charges exist is to coerce plea bargains.
I'm really sick of these sensational posts/comments showing up on HN.
Seconded, and I'm also tired of the dogmatic and uninformed approach to legal issues. Just because law employs logic does not mean that being a programmer gives a superior understanding of law. The same misconceptions crop up over and over again and badly lower the signal:noise ratio.
> It's not illegal to change your mac address or wear a ski mask. It can be illegal to do both of these things while committing other crimes.
Honest question: why is that? Why is it not enough to charge someone for the actual crime they committed? Why does someone need to be charged for committing it a specific way?
THANK YOU - you can pick up your friend from the store with your car and it is legal, but if your friend is robbing the store and you are helping him escape, you are now an accessory.
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. There is no story here. Ugg...
Under the CFAA, it might in fact be illegal to randomize your MAC address depending on the terms of use for the network you are accessing. It is not illegal for this guy to access his home network in this way, because he owns the network. However, the danger of the CFAA is that it makes it a crime to violate user agreements - which can say anything that the network or site owner wants them to. It effectively allows anyone to author and implement their own criminal laws and have them be enforced by the full power of the federal government.
As for the wire fraud implications (which are separate from the CFAA), if you cause a false statement to be transmitted for the purpose of obtaining money or property, you have committed wire fraud and face a potential 20 year sentence. Spoofing MAC addresses to exceed access limits, for example, would qualify. You are causing your device to mask its true identity for the purpose of obtaining "property" that you wouldn't otherwise have access to.
Besides taking the "civil liberty" angle, I'm trying to get to the "witchcraft" angle. As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch". People fear magic they don't understand, and distrust those who wield that magic. Things that seem reasonable to technical geeks seem illegal to the non-technical.
The "witch" comment reminded me of the shift in the term "hacker" to refer to criminal behavior. A lot of people distrust cleverness. I've always suspected that if another term was adopted for positive hacking, such as "tinkerer", it too would be shifted to have a negative or criminal connotation.
It was frustrating that in high school, whenever any computer shenanigans went down, I would always be the one who was automatically called to the principal's office. And some of those times, I wasn't even the one responsible. ;)
I am not a lawyer, and neither is the author. But I suspect that there's nothing illegal about randomizing your MAC address or concealing your online identity. It's the combination of those things and committing some other "crime" (ie accessing data or systems for which you don't have permission) that becomes a problem, in that it shows intent to deceive the other party.
Changing your MAC address is not, by itself, illegal. But the path from there to a felony is easy to cross.
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.
The problem is that the various computer crime laws are vague and subject to interpretation. I read an article recently claiming that accessing a URL manually that is not intentionally exposed via a public link could be considered a form of unauthorized access and wire fraud.
Yes, it's pretty simple. If I knew, or should have known, that you did not want me on your wireless network, and I kept on going on by changing MACs, I've crossed a line.
Probably a line with small damages if it's just your home router.
Not a lawyer either. But from reading a dozen or so articles regarding the case it sounds like the general timbre of human emotion in those posts believes that charges of 'concealing his true identity' are used simply to increase the possible sentence. It reminds me similarly of RICO statutes which allow prosecutors to lump various charges together in order to create 'super' charges. Also reminds of me Captain Planet for some reason. Except his evil doppelganger.
Why should we even be trying to sugarcoat what he did? His intention was right but perhaps means weren't and thats how every rebel goes about doing their stuff. They aren't too much concerned about "confirming", and ,duh, not for nothing they are a rebel. The moment the society and the government start treating A Rebel With a Cause for the means they take than read the message they are trying to convey, it invariably shows the rot in the system. A system that doesnt like mirror being shown at. Lets please stop finding reasons for Aaron's action, instead lets accept what he did was not confirming to the system, we also need people who question and challenge the system not just those who confirms!
No, he wasn't kicked off, just the MAC address of his laptop was banned. As the article author wrote, if someone blocks your number, it's not illegal to call him/her from a different phone number.
Maybe they could make it illegal if they got a restraining order, but AFAIK MIT did not do that.
The author has not bothered to read the indictment. Maybe he should talk with MIT's sysadmins, who were attempting to block Swartz's MAC address as he changed them when the MIT sysadmins found out about them. They were trying to block Swartz. It's their network. The author's blog post doesn't mention any of this. What the author should do is block his own access based on his MAC address, change his MAC address to get around his own block, and then blog about it. He could wear a bike helmet to conceal his identity and run away when he attempts to apprehend himself, for extra realism. Then he could think about the implications for the case, as a "security" expert.
It is their network, but does changing a MAC address to resolve, presumably, flaky network problems count as circumvention? I don't think Access was meant to imply Authentication in the naming of MAC.
If my telephone at home suddenly and inexplicably stopped working and I walked up the pay phone down the street to get another phone number, am I running the risk of legal consequences because my own phone number may have been cut off on purpose?
If he was explicitly told why his MAC addresses were being blocked, you may have a point. However, if he was explicitly talked to about what was going on, how was it able to escalate to the level it did?
I always wonder at these sort of tinfoil hat articles. It seems to me that someone who has the skills and access to the internet but does not leave much of a trace is a huge red flag for what ever the tinfoil hatter fears. A better strategy would be to boot in to your original MAC address then have a covert switch that randomizes it for doing things out of the ordinary, then returns it to normal once they are done. If you fear you are being tracked, it would be better to leave a completely normal, boring footprint that is easy to find. Normal boring Facebook page, tweets, etc. All the way down to a cache of vanilla porn on your hard drive with just a hint of kink for that ah ha moment. Then anything that goes beyond what you want that footprint to look like then moves to randomized MAC addresses, TOR networks and all the other tricks…
I once did a test on my own network to see what would happen if I assigned two computers the same MAC address (but different IP addresses). You know what happened? Nothing. Despite my best efforts (for all of 30 seconds), I couldn't see any meaningful difference in the behavior of the computers. I was expecting tons of dropped packets as my switches tried to figure out what port that address was really on, but it didn't happen.
The charges are most likely not for how he did (spoof MAC addresses), but what he did (redistribute material he obtained without permission). A crime exists if it can proved there's intention.
This argument goes towards the DMCA, as well as what is considered under the CFAA..
"Intentionally accessing a computer without authorization to obtain: ....Information from any protected computer."
What does 'without authorization' mean, and what does 'protected' mean?
Does without authorization mean you violate a click-through license? Or is there some nebulous authentication chit you are handed? Is it a felony to fake your name on a website demanding your name?
And with that keyword 'protected', how do we know it is indeed protected? What steps one must take to protect, and what steps one must go through to understand that it is indeed protected computer/data?
In other words, we are all felons-on-standby. The laws are so vague as to entrap all by default.
The problem, of course, is that in the original law it actually said "federal interest computer" instead and was targeted primarily at computers used by financial institutions and the U.S. Government (which you still see in subsection (A)), but has since been amended to include computers "used in or affecting interstate or foreign commerce or communication" which is a term of art that means anything within the power of Congress to regulate under the interstate commerce clause, which I'm led to understand means pretty much everything now. So that's even worse then: Sorry you thought it was vague and might have been able to argue your way out of it, I hope you enjoy your cell.
I really am astonished at how bad this law is. "Without authorization" is undefined and so overly broad that it seems to capture just about anything and then the penalties are preposterous even for the smallest of violations. We really need to fix this.
>Is it a felony to fake your name on a website demanding your name? //
It would be a breach of contract if the website specified your "legal name" and that is defined in your jurisdiction. If you then used that access to acquire goods/services/property that you wouldn't otherwise get possession of then that would be acquiring by deception and most likely be breach of IP laws.
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. This is common sense stuff here people sheesh.
[+] [-] watty|13 years ago|reply
I'm really sick of these sensational posts/comments showing up on HN. I know, I'm not supposed to complain about quality of posts or comments but the past week has really changed my view on the current state of HN. Witch hunts, sensational stories, jumping to conclusions, hating the law/government, etc. Let's go back to technical news.
[+] [-] ChuckMcM|13 years ago|reply
The OP is alarmed at the use of common privacy enhancing techniques (of which wearing a ski mask is one) which allows a prosecutor to 'enhance' the charges against someone to increase the threat level. They are also alarmed that non-technical people cannot see that changing your MAC address is just "easy" for a technical person to do as holding one hand over the other as you type in your PIN at the grocery store, and equally innocuous. Nobody disputes that 'changing your MAC address' should not be considered as evidence of intent when prosecuting a crime, but there is a lot of dispute as to whether that action in and of itself rises to the level a crime in its own right. This is what the OP fears will happen, and there is some evidence to support that.
That takes us to your second paragraph which talks about how painful it is for you when others express their emotions with respect to the events of the past weekend (and to be clear other events like it). Generally, yes, HN is a community of technologists and technology enthusiasts who discuss the merits or lack thereof of various technology trends, events, and personalities. That said, it is also a community of people. People can often discuss dispassionately about topics that are at arms length, but the weekend case struck close to home for noticeable fraction of the hundreds of thousands of people who visit this community. They need time to process these events, and one way they process them is that they talk about them.
My point is that it helps to appreciate that others may be more affected by recent events than you were and this is their way of processing their emotions. No need to whine about it, you can take a break from HN for a week or so until it winds down. When things are continued beyond their reasonable lifetime they tend to get moderated down. Patience.
[+] [-] Symmetry|13 years ago|reply
By analogy, there's nothing illegal about entering a building through the window. But if you try the door of a random and find it locked and then enter through the window that's still trespass. But if you make a habit of always entering buildings through open windows when they're available so you never try the door you might be able to argue that you didn't know the building wasn't public. At least, you could try to argue it to a jury and depending on the circumstances I guess it might work.
[+] [-] clicks|13 years ago|reply
Changing MAC addresses (upon every restart) is something I do too. It is an extremely easy thing to do. That such an obvious thing will effortlessly add to a list of charges, amplifying the prosecutor's case for no good reason, is what the issue is.
The most frustrating thing about your comment is your condescending attitude. It's exactly this kind of behavior that is sliding us down a path of draconian laws that will in the end harm us all. Please think before going off like this.
[+] [-] nsmartt|13 years ago|reply
While hating on the system can be done in stupid ways, ignoring these sorts of things doesn't make them less real.
Besides that, this sort of thing fits the criteria for submissions on HN. I'd even go so far as to say that this is more appropriate than the latest news about incremental changes in X.
[+] [-] smsm42|13 years ago|reply
[+] [-] anigbrowl|13 years ago|reply
Seconded, and I'm also tired of the dogmatic and uninformed approach to legal issues. Just because law employs logic does not mean that being a programmer gives a superior understanding of law. The same misconceptions crop up over and over again and badly lower the signal:noise ratio.
[+] [-] wwwtyro|13 years ago|reply
Honest question: why is that? Why is it not enough to charge someone for the actual crime they committed? Why does someone need to be charged for committing it a specific way?
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] philiac|13 years ago|reply
[+] [-] goggles99|13 years ago|reply
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. There is no story here. Ugg...
[+] [-] downandout|13 years ago|reply
As for the wire fraud implications (which are separate from the CFAA), if you cause a false statement to be transmitted for the purpose of obtaining money or property, you have committed wire fraud and face a potential 20 year sentence. Spoofing MAC addresses to exceed access limits, for example, would qualify. You are causing your device to mask its true identity for the purpose of obtaining "property" that you wouldn't otherwise have access to.
[+] [-] timbre|13 years ago|reply
[+] [-] SoftwareMaven|13 years ago|reply
[+] [-] JayNeely|13 years ago|reply
Excellent insight.
[+] [-] rayiner|13 years ago|reply
[+] [-] simmons|13 years ago|reply
It was frustrating that in high school, whenever any computer shenanigans went down, I would always be the one who was automatically called to the principal's office. And some of those times, I wasn't even the one responsible. ;)
[+] [-] CurtHagenlocher|13 years ago|reply
But again, I am not a lawyer.
[+] [-] btilly|13 years ago|reply
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.
[+] [-] lukifer|13 years ago|reply
[+] [-] djt|13 years ago|reply
[+] [-] danielweber|13 years ago|reply
Probably a line with small damages if it's just your home router.
[+] [-] johndavidback|13 years ago|reply
[+] [-] juzfoo|13 years ago|reply
[+] [-] wlievens|13 years ago|reply
[+] [-] nsmartt|13 years ago|reply
I don't really know how to explain how I feel about it, but that's my understanding.
[+] [-] tomp|13 years ago|reply
Maybe they could make it illegal if they got a restraining order, but AFAIK MIT did not do that.
[+] [-] ChristianMarks|13 years ago|reply
[+] [-] randomdata|13 years ago|reply
If my telephone at home suddenly and inexplicably stopped working and I walked up the pay phone down the street to get another phone number, am I running the risk of legal consequences because my own phone number may have been cut off on purpose?
If he was explicitly told why his MAC addresses were being blocked, you may have a point. However, if he was explicitly talked to about what was going on, how was it able to escalate to the level it did?
[+] [-] BashiBazouk|13 years ago|reply
[+] [-] nitrogen|13 years ago|reply
[+] [-] louischatriot|13 years ago|reply
[+] [-] annnnd|13 years ago|reply
Sometimes the very acts that you do when trying to conceal your identity can be used to reveal it.
[+] [-] hcarvalhoalves|13 years ago|reply
[+] [-] TheAmazingIdiot|13 years ago|reply
"Intentionally accessing a computer without authorization to obtain: ....Information from any protected computer."
What does 'without authorization' mean, and what does 'protected' mean?
Does without authorization mean you violate a click-through license? Or is there some nebulous authentication chit you are handed? Is it a felony to fake your name on a website demanding your name?
And with that keyword 'protected', how do we know it is indeed protected? What steps one must take to protect, and what steps one must go through to understand that it is indeed protected computer/data?
In other words, we are all felons-on-standby. The laws are so vague as to entrap all by default.
[+] [-] AnthonyMouse|13 years ago|reply
Protected computer is actually defined in the statute (subsection (e)(2)): http://www.law.cornell.edu/uscode/text/18/1030
The problem, of course, is that in the original law it actually said "federal interest computer" instead and was targeted primarily at computers used by financial institutions and the U.S. Government (which you still see in subsection (A)), but has since been amended to include computers "used in or affecting interstate or foreign commerce or communication" which is a term of art that means anything within the power of Congress to regulate under the interstate commerce clause, which I'm led to understand means pretty much everything now. So that's even worse then: Sorry you thought it was vague and might have been able to argue your way out of it, I hope you enjoy your cell.
I really am astonished at how bad this law is. "Without authorization" is undefined and so overly broad that it seems to capture just about anything and then the penalties are preposterous even for the smallest of violations. We really need to fix this.
[+] [-] darkarmani|13 years ago|reply
If so, facebook has made us all felons. We won't get access to facebook if we didn't give up our names, so it's wirefraud.
[+] [-] pbhjpbhj|13 years ago|reply
It would be a breach of contract if the website specified your "legal name" and that is defined in your jurisdiction. If you then used that access to acquire goods/services/property that you wouldn't otherwise get possession of then that would be acquiring by deception and most likely be breach of IP laws.
[+] [-] goggles99|13 years ago|reply