“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

• First up, is a documentary about Aaron Swartz called The Internet's Own Boy by Brian Knappenberger, who previously did a documentary about Anonymous. Knappenberger's film isn't a "memorial" about Swartz, but rather an "investigative" documentary about his story and the lawsuit against him, as well as the legal structure that led to his arrest and trial. The video that Knappenberger has put together is really compelling and touching: This project has received a lot of attention, so there's no surprise that it's quite close to its $75,000 target with a few weeks to go. It looks like it should be a great project to support.
• From once CFAA case to another. Krystof Andres & George Russell are doing a documentary called The Hedgehog & The Hare, all about the CFAA, but mainly focused on the case against Andrew "Weev" Auernheimer. The documentary will also explore how the CFAA goes way too far in trying to criminalize perfectly reasonable computer activities. The target for this project had much more modest goals than the Swartz one, though the production values definitely look a bit more amateurish. Plus, frankly, the rewards on the Swartz movie are a lot more reasonable. That said, with just a few days left, it looks like this movie is likely to squeak by the target even if it's just slightly under as I write this.
• This next one, I'm a bit less sure about, but the topic could be interesting. It's supposedly a short film, made in South Africa about the big pharmaceutical makers going after generic drug makers, called The Cure. What makes me a bit unsure about is that the filmmakers, Katey Carson and Errol Schwartz, seem a hell of a lot more excited about the fact that (a) they signed up some "Oscar-winning talent" to be in the film and (b) that they're filming the whole thing with an iPhone, than they are about the story, which they barely mention at all. The topic sounds interesting. I just wish they'd actually have said something about that, rather than the other stuff which really isn't that interesting. The project has barely raised any money, and they're pretty ambitious to seek $35,000 for this. But since it's an Indiegogo "flex funding" campaign, they'll get the money even if they don't raise the full amount. Also, the "rewards" you get back seem ridiculously high priced. You have to pay $100 just to get a download of the short film and $50 for the script? Hmmm. Love the idea of a film that highlights problems with drug patents, but not sure this is the best way to do it.
• And, finally, a documentary about piracy. I mean that's what critics insist this site is all about, right? So I figured, why not. Here's a documentary film about a Somali pirate -- you know, one who actually hijacked a ship, called The Smiling Pirate, which aims to tell the story of the one remaining living member of the pirates who hijacked the Maersk Alabama. As the story suggests, despite a forthcoming Tom Hanks movie about this whole thing, there appear to be a lot more questions than answers about what really happened both aboard the ship and then with the captured pirate after the whole thing happened. Sounds like an interesting story, but it hasn't picked up very many backers yet. It's also an Indiegogo flexible funding project, so will receive any money it raises, but it's not clear if it'll get enough to really support the making of the documentary any time soon.

The meaning of the phrase “You also expressly grant and assign to [Craigslist] all rights” was the subject of some debate at the hearing on these motions, but the “all rights” language relates specifically to enforcement rights–not rights to the content of the posts. The language assigning rights to the content did not use the phrase “all rights,” and did not specify that the rights granted were “exclusive.” Craigslist provides no authority for the proposition that an ambiguous grant of rights is presumptively exclusive, and the Court declines to read that term into the terms that Craigslist itself drafted

Craigslist has alleged that its “classified ad service is organized first by geographic area, and then by category of product or service,” with these categories organized in “a list designed and presented by craigslist.”... Construing the relevant allegations in Craigslist’s favor at this early stage in the proceedings, the Court concludes that Craigslist, in “deciding which categories to include and under what name,” ... “display[ed] some minimal level of creativity,”

Clicking “Continue” confirms that craigslist is the exclusive licensee of this content, with the exclusive right to enforce copyrights against anyone copying, republishing, distributing or preparing derivative works without its consent.

So, if you posted a craigslist ad while this provision was live, you're out of luck. craigslist's ownership claims over user posts could potentially mean that the affected users can’t republish their ads on multiple services without risking a claim of infringement. And while not every craigslist post is going to go viral and have real value outside the original context (like the “Jesus Tap-Dancing Christ” car ad), users still need the right to post and repost their material in a variety of venues. Moreover, the exclusive license provision calls into question craigslist’s compatibility with common licensing schemes, like the Creative Commons ShareAlike license or the GNU Free Documentation License for the time that provision was valid. And, worse still: craigslist’s actions, and the court's ruling, only increases the chance that other websites will start demanding ownership of the content you post there.

The Court need not decide whether violating “restrictions on access to information” contained in a website’s terms of use can ever support liability under the CFAA, because Craigslist’s TOU contain only “use” restrictions, not true “access” restrictions as the term is used in Nosal. Although the TOU include a section titled “Unauthorized Access and Activities,” parts of which are framed in terms of “access,” these restrictions depend entirely on the accessor’s purpose. TOU at 6-7 (prohibiting, e.g., “access to or use of craigslist to design, develop, test, . . . or otherwise make available any program” that interacts with Craigslist).

Aside from the TOU, however, Craigslist specifically denied authorization to use the website “for any purposes” in its cease and desist letters, Kao Decl. Ex. A, and also used technological measures to block access from IP addresses associated with 3Taps, which Craigslist alleges that 3Taps bypassed by using different IP addresses and proxy servers to conceal its identity. Assuming that the CFAA encompasses information generally available to the public such as Craigslist’s website, Defendants’ continued use of Craigslist after the clear statements regarding authorization in the cease and desist letters and the technological measures to block them constitutes unauthorized access under the statute.

Cease and Desist Letters Should Not Make Access to a Website Criminal

The CFAA is both a civil and a criminal statute. This is a civil case, but has criminal ramifications. While the court looked at the earlier Facebook v. Power Ventures case, it misread a key holding. There, the court recognized that imposing criminal liability based on the “receipt of a cease and desist letter would create a constitutionally untenable situation.” This would put too much power in the hands of private parties to decide what a crime would be.

Changing IP Addresses Is Not Hacking

The court’s ruling on IP address blocking is dangerous because it could criminalize innocent behavior.

[....] There is nothing inherently improper, never mind unlawful, about switching IP addresses and thereby avoiding IP address blocking. Moreover, when a website is available without restriction to the public, a private party should not be able turn access into a crime to back up owner preferences or terms of service with the weight of criminal authority.

Impersonation: You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse, or deceive others

The Computer Fraud and Abuse Act is the law under which Aaron Swartz and other innovators and activists have been threatened with decades in prison. The CFAA is so broad that law enforcement says it criminalizes all sorts of mundane Internet use: Potentially even breaking a website's fine print terms of service agreement. Don't set up a Myspace page for your cat. Don't fudge your height on a dating site. Don't share your Facebook password with anybody: You could be committing a federal crime. (Read more here.)

It's the vagueness and over breadth of this law that allows prosecutors to go after people like Aaron Swartz, who tragically committed suicide earlier this year. The government threatened to jail him for decades for downloading academic articles from the website JSTOR.

Since Aaron's death, activists have cried out for reform of the CFAA. But members of the House Judiciary Committee are actually floating a proposal to expand and strengthen it -- that could come up for a vote as soon as April 10th! (Read more here.)

LAST Sunday afternoon, some friends and I were hanging out in a local bar, talking about what we’d be doing that evening. It turned out that we all had the same plan: to watch the season premiere of “Game of Thrones.” But only one person in our group had a cable television subscription to HBO, where it is shown. The rest of us had a crafty workaround.

We were each going to use HBO Go, the network’s video Web site, to stream the show online — but not our own accounts. To gain access, one friend planned to use the login of the father of a childhood friend. Another would use his mother’s account. I had the information of a guy in New Jersey that I had once met in a Mexican restaurant.

This means that inquisitive 12-year-olds who visit NBCNews.com to learn about current events would be, by default, misrepresenting their ages. Again, this could be criminal under the DOJ's interpretation of the CFAA.

We’d like to say that we’re being facetious, but, unfortunately, the Justice Department has already demonstrated its willingness to pursue CFAA to absurd extremes. Luckily, the Ninth Circuit rejected the government’s arguments, concluding that, under such an ruling, millions of unsuspecting citizens would suddenly find themselves on the wrong side of the law. As Judge Alex Kozinski so aptly wrote: "Under the government’s proposed interpretation of the CFAA...describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit."

And it’s no excuse to say that the vast majority of these cases will never be prosecuted. As the Ninth Circuit explained, “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Instead of pursuing only suspects of actual crimes, it opens the door for prosecutors to go after people because the government doesn’t like them.

Unfortunately, there’s no sign the Justice Department has given up on this interpretation outside the Ninth and Fourth Circuits, which is why the Professor Tim Wu in the New Yorker recently called the CFAA “the most outrageous criminal law you’ve never heard of.”

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.

Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.

The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.

First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.

They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

[....] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

The broadest provision, 18 U.S.C. §1030(a)(2)(c), makes it a crime to “exceed authorized access, and thereby obtain… information from any protected computer.” To the Justice Department, “exceeding authorized access” includes violating terms of service, and “any protected computer” includes just about any Web site or computer. The resulting breadth of criminality is staggering. As Professor Kerr writes, it “potentially regulates every use of every computer in the United States and even many millions of computers abroad.” You don’t have to be a raving libertarian to think that might be a problem. Dating sites, to borrow an example from Judge Alex Kozinski, usually mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department’s interpretation makes the American desk-worker a felon.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over.

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?

Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.

Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?

Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.

Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?

Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...

Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?

Orin Kerr: No.

Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.

Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

According to a federal indictment first obtained by the Huffington Post, Keys used a chat site to pass information to Anonymous. Using the name AESCracked, Keys handed over the login credentials and told hackers to "go fuck some shit up", the indictment says.

The hacker accessed at least one Los Angeles Times story and altered it, the charges say.

On the one hand, when compared what happened with Aaron Swartz, this is a step in the right direction. We're not talking about someone with positive intentions who walked the line between hacking and innovation, but someone who acted with obvious malice. But on the other hand, this highlights the big problem with federal hacking laws. The damage amounted to little more than inconvenience for a system administrator, making this essentially a case of small-scale vandalism—but because it involves computers, it's elevated to a federal crime. This really makes no sense. Computers and the internet are present in every part of life today, and computer crime can happen at every scale. In this case, it was the sort of reckless but small act of spite that would result in a much less serious punishment if it didn't happen online, and if it didn't allow the government to place Anonymous in the villain role of another story.

The case against Keys looks strong, and I'm guessing it will end with some sort of deal for a lesser punishment—possibly in exchange for information about other hackers. The real penalty will be the damage done to his career by this breach of trust (which further highlights the pointlessness of trying to put him in jail), but the biggest takeaway is that federal computer crime laws are in serious need of reform. Elevating the severity of simple crimes because they involve what is now one of the most common tools in the world is a senseless imbalance of justice, and makes it much harder to identify and combat serious crime online.

In 2006, while a sophomore at Harvard, Zuckerberg created a website called “Facemash” which compared photographs of Harvard’s entire population, asking users to compare two photos and vote on who looked better. Zuckerberg allegedly got access to these photos by “hacking” into each of Harvard’s nine House websites and then collecting them all on one site. It’s not clear what this “hacking” was, but since the charges against him included “breaching security,” it may have fun afoul of the law.

Columbia Law Professor Tim Wu notes in the New Yorker that Apple co-founders Steve Jobs and Steve Wozniak, did acts that were “more economically damaging than, Swartz’s.” The two college roommates made what were called “blue boxes,” cheap devices that mimicked a certain frequency that allowed them to trick AT&T’s telephone system into making free long-distance calls. They also sold blue boxes before moving onto bigger and better ideas.

In his autobiography, Allen told the story of when the two future billionaires “got hold of” an administrator password at the company they worked at before starting Microsoft. The company had timeshared computers and Allen and Gates were getting charged for using them for their personal work.

The two men used the password to access the company's accounts and set about trying to find a free runtime account so that they could carry on programming without having to pay for the time. They also copied the account database for later perusal. However, management got wise to the plan.

"We hoped we'd get let off with a slap on the wrist, considering we hadn't done anything yet. But then the stern man said it could be 'criminal' to manipulate a commercial account. Bill and I were almost quivering."

“Experiences like that taught us the power of ideas…And if we hadn’t have made blue boxes, there would’ve been no Apple.”

After figuring out just who she's seeking, Webb rejoins JDate, the Jewish dating site, as a man — creating 10 profiles for men she would want to date, with stock images and character sketches so elaborate you'd think she were outlining a novel. For example, we learn from the spreadsheet she makes for LawMan2346 that he and his younger brother, Mark, "didn't get along great as kids, but they're best friends now. Mark is the total opposite of him — plays sports, drinks beer. Typical man's man kind of guy."

But she's not Catfishing, she's doing opposition research. For a month, she corresponds with 96 female JDaters through these fake profiles, never meeting these women but interacting just enough to collect data (more spreadsheets!) on how they present themselves. Then, she can mimic her competitors and hopefully snag a better catch.

You agree to provide accurate, current and complete information about Yourself as prompted by Our registration form ("Registration Data"), and to maintain and update Your information to keep it accurate, current and complete."

You represent and warrant to Us that the information posted in Your profile, including Your photograph, is posted by You and that You are the exclusive author of Your profile and the exclusive owner of Your photographs. You assign to Us, with full title guarantee, all copyright in Your profile, Your photographs posted, and any additional information sent to Us at any time in connection with Your use of the Service.

You will not post on the Service, or transmit to other members or to Us or Our employees, any defamatory, inaccurate, abusive, obscene, profane, offensive, sexually oriented, threatening, harassing, racially offensive, or illegal material, or any material that infringes or violates another party's rights

You will not harass or impersonate any person or entity. You will not use any manual or automatic device or process to retrieve, index, data mine, or, in any way reproduce or circumvent the navigational structure or presentation of the Service or its contents.

Thank you, Reddit and everyone else who provided feedback to the original rough draft bill to reform the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute – the laws the government used to unfairly prosecute Aaron Swartz. With the help of Internet freedom advocates, computer and legal experts, the draft has been revised and is available here. I have been in communication with Aaron’s father who supports this draft bill and approves of the name “Aaron’s Law.”

Like the first draft, this revised draft explicitly excludes breaches of terms of service or user agreements as violations of the CFAA and wire fraud statute. This revised draft also makes clear that changing one's MAC or IP address is not in itself a violation of the CFAA or wire fraud statute. In addition, this draft limits the scope of CFAA by defining "access without authorization" as the circumvention of technological access barriers. Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity.

As our discussions have continued, it is clear that many believe a thorough revision of the CFAA and substantial reform of copyright laws are necessary. I agree. “Aaron’s Law” is not this complete overhaul, but is a first step down the road to comprehensive reform. If we succeed in getting this draft bill enacted into law, it will be in honor of Aaron Swartz, and should be seen as a beginning of a concerted effort to bring reform to these broader issues. To be successful, that effort will likely take substantial time and require sustained and intense support from all of you in a push that will need to exceed our stoppage of SOPA.

I see “Aaron’s Law” as common sense fixes that should be enacted to stop the kinds of abuse Aaron was subjected to from affecting others. I intend to introduce a final version of "Aaron's Law" as legislation soon, and in talking with my friend Sen. Ron Wyden of Oregon, I understand he wants to introduce it in the Senate as well. I will be urging my colleagues in the House of Reps to become cosponsors. The chances of success – whether for "Aaron's Law" or other proposals – will depend greatly on the degree of positive public engagement and support to change the law. As SOPA showed, when the Internet speaks, lawmakers listen. I think with enough constructive support we can have an opportunity to pass "Aaron's Law."

Many thanks to all of you – Zoe

Citizens of the world,

Anonymous has observed for some time now the trajectory of justice in the United States with growing concern. We have marked the departure of this system from the noble ideals in which it was born and enshrined. We have seen the erosion of due process, the dilution of constitutional rights, the usurpation of the rightful authority of courts by the "discretion" of prosecutors. We have seen how the law is wielded less and less to uphold justice, and more and more to exercise control, authority and power in the interests of oppression or personal gain.

We have been watching, and waiting.

Two weeks ago today, a line was crossed. Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play.

However, in order for there to be a peaceful resolution to this crisis, certain things need to happen. There must be reform of outdated and poorly-envisioned legislation, written to be so broadly applied as to make a felony crime out of violation of terms of service, creating in effect vast swathes of crimes, and allowing for selective punishment. There must be reform of mandatory minimum sentencing. There must be a return to proportionality of punishment with respect to actual harm caused, and consideration of motive and mens rea. The inalienable right to a presumption of innocence and the recourse to trial and possibility of exoneration must be returned to its sacred status, and not gambled away by pre-trial bargaining in the face of overwhelming sentences, unaffordable justice and disfavourable odds. Laws must be upheld unselectively, and not used as a weapon of government to make examples of those it deems threatening to its power.

The U.S. Sentencing Commission website has been hacked again and a code distributed by Anonymous "Operation Last Resort" turns ussc.gov into a playable video game.

Visitors enter the code, and then the website that sets guidelines for sentencing in United States Federal courts becomes "Asteroids."

Shooting away at the ussc.gov webpage reveals an image of Anonymous. The trademark Anonymous "Guy Fawkes" face is comprised of white text saying, "We do not forgive. We do not forget."

The exploit is probably counterproductive too. Apart from turning those who want reform of computer crime law into the allies of lawbreakers, Anonymous has substantively hurt the case for amending the CFAA. Heavy criminal penalties are entirely appropriate for people who hack a Supreme Court Justice’s account and disclose personal secrets. But it’s not easy to redraft the CFAA so it reflects the difference between Swartz and the Anonymous hackers, at least not without relying on precisely the prosecutorial discretion that the Swartz prosecutors misused.

Finally, I wonder if this incident won’t affect the Supreme Court’s approach to cybercrime issues. As Frank Rizzo once said, a conservative is a liberal who’s been mugged. If that’s true, every time Anonymous mugs one of the Justices in cyberspace, it could be making the Court just a little less enthusiastic about limiting the tools the government uses to deter computer crime

Not that any of the justices have shown much enthusiasm up to now, but the alternative to bad isn't necessarily good. Things can always get worse.

The first indication that Anonymous made a left turn when it should have made a right was when it picked the United States Sentencing Commission website to show its might. Nobody noticed, because, well, nobody cares about the USSC anymore.

Had this happened a generation ago, it might have meant something. Yesterday, it likely evoked a chuckle and a face palm. Post Booker and some actual crack reforms, it was a big nothing.

So you guys can hack an outlier agency that has drifted into relative irrelevance. Got it. Have a nice day. The USSC is symbolic of nothing other than government bloat. The guidelines don't enable prosecutors to cheat citizens of their constitutionally guaranteed rights. Citizens do that to each other. We do it each time we elect a legislator who calls for tougher laws. We do it each time we demand the creation of a new crime because of the tragic death of a child. We do it whenever we elevate safety over freedom. And that's what Americans do...

By taking out the USSC website, you disturbed nothing while annoying the government. When the head of the FBI cybersecurity squad gets done laughing, he's going to find someone else to prosecute. It may not be one of you, but it will be someone, or more likely, a whole gang of people with computers. And they have guns. Pissing them off over nothing isn't effective. It's just begging for retaliation, and the government has no sense of humor (or irony).

And so I became a bulk downloader. I wrote a Perl script: a simple, 70-line program that exhaustively went through the Wayback Machine, looking for a copy of each LawMeme article. Just like Aaron's script, mine “discovered the URLs” of articles and then downloaded them. And just to show how mainstream this is, I'll add that I built my script around an elementary one that Paul Ohm published in “Computer Programming and the Law: A New Research Agenda,” his manifesto for why more law professors should write code. Paul's script downloaded and analyzed the comment counts on posts from the popular legal blog The Volokh Conspiracy.

[....] take the Internet Archive's terms of service. By using the site, I supposedly promised not "to copy offsite any part of the Collections without written permission." The site's FAQ qualifies this statement a bit, adding, "However, you may use the Internet Archive Wayback Machine to locate and access archived versions of a site to which you own the rights." Again, I was confident that this covered me. But confidence is not certainty. I assumed that no one would care to press the question. After Aaron, is that such a safe assumption?

I can't imagine that the Internet Archive would have a problem with what I did. Recreating lost websites for the sake of the public and posterity is completely consistent with Brewster Kahle's expansive humanist vision of digital archiving. But JSTOR quickly made its peace with Aaron, and that didn't save him. Would Brewster's blessing save me from the wrath of the feds?

Indeed, my script waited a second between each download. I didn't want to put too much of a load on the Archive's servers. But a cyber-Javert could describe it as an attempt to evade detection. Then, to get the webpages to display right in the LawMeme archive, I wrote another script to delete the bits of HTML added by the Internet Archive to the pages in its archive. Was that an effort to hide my tracks?

Aaron's Law is a start, but the problems with our computer crime laws, and with criminal law in general, run much, much deeper. The Department of Justice thinks millions of parents who made Facebook accounts for their children are federal criminals. Read the majority opinion in United States v. Nosal and ask yourself whether you've fudged your age on a dating site, or let someone else use your account, or used a workplace computer to check the baseball scores. Judge Kozinski noted, skeptically, "The government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations." Tell that to Aaron's family.