Last week we concluded with the question...Should Aaron's law allow users to change their ISP addresses, when such actions may/will be used to commit criminal acts. When I suggested this many people (most likely technologically gifted) raised their hands to respond. Unfortunately, we ran out of time and were not able to resume the conversation today. So I thought I would bring it up online. So the question is out there should we allow people to change their ISP addresses, when changing the ISP would only result in a prohibited activity. If you want the original article--http://www.wired.com/threatlevel/2013/02/aarons-law-amending-the-cfaa/. or if you want the edited bill--http://www.wired.com/images_blogs/threatlevel/2013/02/Aarons-Law_revised-draft.pdf.
Now before we begin engaging in an interesting debate, let me pose a few questions.
First, is there a difference between an online identity and a real/physical identity?
Second, why don't we allow people to make several (real/physical) identities for the purpose of privacy?
Third, if the majority of people who change their ISP, are in-fact committing prohibited/illegal acts, is Aaron's law simply reactionary?
I hope this sparks a good conversation.
I don't fully recall the exact class discussion we were having two weeks ago, but I'd like to respond to the question in your first sentence. I think that Aaron's Law (or as the bill says it should be cited, "Aarons's Law Act") is simply trying to remove IP alteration from the scope of the CFAA. Aaron's law would decriminalize IP changes per se, but any downstream liability for IP changes would remain: these spoofers would not get off scot-free. For example, if Aaron's Law had been in effect when Aaron Swartz was alive, he would have incurred no CFAA liability for "repeatedly spoofing the MAC address of his computer after MIT blocked his MAC address." However, he would have remained liable for, say, wire fraud for stealing from JSTOR. Still, Aaron's Law would have prevented the U.S. Attorney from being able to bulk up the charges against him as much as she did.
ReplyDeleteIs Aaron's Law simply reactionary? Of course any "[first name]'s Law" is reactionary to some extent, but I don't think this one is overly reactionary or not well-thought out. The proposed spoofing exemption seems in line with the frustration that has existed for several years with the CFAA's poorly-tailored approach to serious computer crime. As U.S. v. Drew did in 2009, this exemption would remove a fairly non-serious crime from federal purview.
I support this exemption proposal because (1) it tones down the CFAA while keeping damage-causing hackers liable for what they actually do with the spoofed IP address, and (2) many (though probably not most) people who spoof IP addresses do it for lawful purposes, such as security and privacy protection. I am generally very supportive of anybody that takes affirmative steps to protect their own privacy at no harm to others.
I actually remember leaving off before we could answer that question, which is unfortunate because I feel like it is an interesting aspect of the debate over Internet privacy and Aaron’s Law in particular. One of the ways that opponents analogize the illegality of “spoofing,” ones IP address, is by suggesting that it is the same as attempting to where a mask in public. The argument, they suggest, is that the government would be justified in saying that you can’t wear a mask in schools, or when going to an airport, and therefore, they are no less justified in prohibiting the use of a, “cyber mask.” While such an argument is persuasive, I would say that it misses the point of the counterargument: that simply wishing to maintain anonymity is not itself a crime, and should not be treated as such.
ReplyDeleteWhile the mask argument is persuasive on some level, I often think of the debate in a different way. Much like the Supreme Court decided in the GPS tracking case, while the government may have a right to follow you around in an effort to track your movements and gather data on you, it cannot simply place a GPS tracker on your car to gather the same data. On some level, the Court recognized that collecting data in such a fashion was too easy and too valuable in the aggregate. In the same way, people that “spoof,” their IP address may simply wish to preserve the same type of anonymity that the Court says we are entitled to when walking around in public: the anonymity of the crowd. As Steve pointed out, the proposed change simply legalizes the act of remaining anonymous, not piracy, hacking, wire fraud, etc.
There are many reasons that people may want to preserve some degree of privacy on the Internet. Maybe they are paranoid and don’t like the idea of the government or companies tracking them. Maybe they want to avoid cultural taboos in a community that disapproves of whatever it is they are searching for. Maybe they simply hate the idea of being easily tracked. The point is, the desire to be left alone is one that we have traditionally recognized as valuable, and one that does not inherently harm anyone else. Sure you should be able to prosecute someone for stealing information or hacking into a database, but changing your IP address does not necessarily mean that you are doing those things, in the same way that buying a bag of fertilizer doesn’t mean that you are making a bomb. Anyways, those are some of my thoughts on the matter, but I’d be interested to hear from someone that disagrees with the proposed changes.
Does this issue strike anyone else as being similar to the privacy and First Amendment anonymity stuff? To refresh memories, McIntyre held that in at least some circumstances, the First Amendment guaranteed a right to anonymous political speech, but in 2010, Doe v. Reed substantially curtailed the scope of that First Amendment right to instances in which anonymity is specifically necessary to protect against threats or intimidation based on political beliefs.
ReplyDeleteI realize that defining anonymous conduct as a crime is basically on the opposite end of the spectrum from the Constitution protecting some anonymous conduct. In between those positions, there will obviously be a fair number of squishy gray policy positions. In this spirit, I understand that as a matter of policy, we might choose to allow people anonymity in the form of spoofing, but I don't think the Constitution compels us to and so the "right to be left along" here might be more accurately framed as a strong policy interest rather than as a right.