These changes seem like an excellent step. But it's worth noting that even under the new proposal Aaron would have likely run afoul of the "access without authorization" component. I'm also not sure the new language around repeat offenders would have made a difference given the plea bargain, but I could imagine it would have made the maximum sentence sound less scary.
In addition to the two changes listed by Ars Technica, there's another tweak making it clear that the court should consider the "fair market" value of the information, which I guess for JSTOR would have still looked quite high.
I've argued till I've become blue in the face about this and I guess I'm a glutton for punishment so I'll ask it again: exactly where in the facts do you think authorization was missing?
MIT allows a level of access on it's networks that people not on MIT have trouble understanding, it's not what you or I (assuming you're not from MIT) would think of on other campuses and certainly not in the private sector
Second, you can't have your cake and eat it too. You can't have an unusually open access system in place, one that allows any and all visitors to come on with any email they wish, but then think that blocking an IP means you can call it a day, authorization over. That makes no sense. If he uses a new address, he gets authorization again. If he gets a new MAC address he gets authorization again. Sadly, I think for MIT to remove authorization they would have to be less open, they would have to actually change policies for signing up to campus networks.
And don't get me started on the unlocked, well grafitti'd closet...
I was thinking the same thing. I am one of those in the middle that believe Aaron broke the law but was being over prosecuted. Perhaps if facing a much lesser punishment, Aaron would have stood by his cause instead of checking out.
(I think the law is a step forward, though I don't think it does enough to mitigate the real problem with CFAA, which is that sentences under CFAA scale with dollar damages. The bit about making it harder to "accelerate" CFAA crimes when they're done in furtherance of crimes that are also CFAA crimes is also very important, but doesn't address the core flaw of the statute.)
Have you stopped to think about the fact of enforcing the CFAA so harshly against private citizens (e.g. downloading too many JSTOR articles), while their government boasts about hacking into the critical network infrastructure of other countries? Something doesn't seem right. Wild west, but global, I guess.
> The proposed definition … is to obtain information … by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.
suggests that, in that context, the debate would be whether a certain URL structure implies a legitimate attempt at securing content, rather than just being a side-effect of website structure/design.
Would it be unreasonable to argue that blatant disregard for security due-dilligence or just 'bad' security is not an honest attempt at the same, and thus equivalent to no security at all?
[+] [-] aston|12 years ago|reply
In addition to the two changes listed by Ars Technica, there's another tweak making it clear that the court should consider the "fair market" value of the information, which I guess for JSTOR would have still looked quite high.
[+] [-] MWil|12 years ago|reply
MIT allows a level of access on it's networks that people not on MIT have trouble understanding, it's not what you or I (assuming you're not from MIT) would think of on other campuses and certainly not in the private sector
Second, you can't have your cake and eat it too. You can't have an unusually open access system in place, one that allows any and all visitors to come on with any email they wish, but then think that blocking an IP means you can call it a day, authorization over. That makes no sense. If he uses a new address, he gets authorization again. If he gets a new MAC address he gets authorization again. Sadly, I think for MIT to remove authorization they would have to be less open, they would have to actually change policies for signing up to campus networks.
And don't get me started on the unlocked, well grafitti'd closet...
[+] [-] jack-r-abbit|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] tptacek|12 years ago|reply
(I think the law is a step forward, though I don't think it does enough to mitigate the real problem with CFAA, which is that sentences under CFAA scale with dollar damages. The bit about making it harder to "accelerate" CFAA crimes when they're done in furtherance of crimes that are also CFAA crimes is also very important, but doesn't address the core flaw of the statute.)
[+] [-] hispeedencrypt|12 years ago|reply
[+] [-] rayiner|12 years ago|reply
Yes, "international law" is a fiction and rightly so.
[+] [-] monochromatic|12 years ago|reply
[+] [-] a_soncodi|12 years ago|reply
> The proposed definition … is to obtain information … by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.
suggests that, in that context, the debate would be whether a certain URL structure implies a legitimate attempt at securing content, rather than just being a side-effect of website structure/design.
Would it be unreasonable to argue that blatant disregard for security due-dilligence or just 'bad' security is not an honest attempt at the same, and thus equivalent to no security at all?
[+] [-] Goladus|12 years ago|reply
[+] [-] hkmurakami|12 years ago|reply