“It’s a single point in the system through which all of the content can be collected if they can manage to activate it,” said Edward W. Felten, a computer science professor at Princeton and one of the authors of the report... “That’s a security vulnerability waiting to happen, as if we needed more,” he said.

The scope of the subpoena was overbroad under the law, given that it involved seizing records from a broad range of telephones across AP’s newsgathering operation. More than 100 journalists work in the locations served by those telephones. How can we consider this inquiry to be narrowly drawn?

We held that story until the government assured us that the national security concerns had passed. Indeed, the White House was preparing to publicly announce that the bomb plot had been foiled.

This was a very serious leak. A very, very serious leak. I’ve been a prosecutor since 1976, and I have to say that this is among, if not the most serious, it is within the top two or three most serious leaks I’ve ever seen. It put the American people at risk. And that is not hyperbole. It put the American people at risk.

I think what you're referring to, Senator, is when I had a teleconference with some individuals, former government officials from previous administrations who were going to be out on talk shows on the night that a IED was intercepted.

And so I discussed with them some of the aspects of that, because I was going on the news network shows the following day, I wanted to make sure they understood the nature of the threat and what it was and what it wasn't.

And so what I said, at the time, because I said I couldn't talk about any operational details, and this was shortly after the anniversary of the Bin Laden takedown, I said there was never a threat to the American public as we had said so publicly, because we had inside control of the plot and the device was never a threat to the American public.

Despite the seizure of the phone records, a Justice Department spokesman said the agency valued freedom of the press and was “always careful and deliberative in seeking to strike the right balance between the public interest in the free flow of information and the public interest in the fair and effective administration of our criminal laws.”

On November 5, [redacted], the case agent sent an e-mail asking another Special Agent in the [redacted] Field Office to inquire, in the other agent's capacity as his squad's liaison to the CAU, whether the on-site communications service providers could obtain telephone toll records of U.S. persons making [redacted] calls [redacted]. The case agent's November 5 e-mail listed 12 [redacted] telephone numbers, 8 of which were identified in the e-mail as belonging to Washington Post reporters [redacted] and Washington Post researcher [redacted] and New York Times reporters [redacted] The email identified a 7-month period -- a few months before and a few months after the published articles -- as the time period of interest for the leak investigation.

[....] However, in absence of any request from the case agent or anyone in the FBI, the CAU SSA issued an exigent letter dated December 17, [redacted], to Company A for telephone records of the reporters and others listed in the case agent's November 5, [redacted], e-mail. We determined that the SSA did this without further discussion with the case agent or the Special Agent who had asked only whether such records could be obtained through on-site providers, not that the records should be obtained.

The CAU SSA's exigent letter sought records on nine telephone numbers, seven of which were identified in the e-mail exchanges described above as belonging to Washington Post and New York Times reporters or their news organizations' bureaus in [redacted].....

The exigent letter did not specify the 7-month interval noted in the case agent's November 5 e-mail, or contain any date restrictions. The exigent letter also stated that the request was made "due to exigent circumstances" and that "subpoenas requesting this information have been submitted to the U.S. Attorney's office who will process and serve them formally on [Company A] as expeditiously as possible." However, this statement was not accurate. A subpoena request had not been sent to the U.S. Attorney's Office at the time the exigent letter was served, or at any time thereafter.

There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters. These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP’s newsgathering operations, and disclose information about AP’s activities and operations that the government has no conceivable right to know.

That the Department undertook this unprecedented step without providing any notice to the AP, and without taking any steps to narrow the scope of its subpoenas to matters actually relevant to an ongoing investigation, is particularly troubling.

The sheer volume of records obtained, most of which can have no plausible connection to any ongoing investigation, indicates, at a minimum, that this effort did not comply with 28 C.F.R. §50.10 and should therefore never have been undertaken in the first place. The regulations require that, in all cases and without exception, a subpoena for a reporter’s telephone toll records must be “as narrowly drawn as possible.’’ This plainly did not happen

There should be reasonable ground to believe that a crime has been committed and that the information sought is essential to the successful investigation of that crime. The subpoena should be as narrowly drawn as possible; it should be directed at relevant information regarding a limited subject matter and should cover a reasonably limited time period. In addition, prior to seeking the Attorney General's authorization, the government should have pursued all reasonable alternative investigation steps as required by paragraph (b) of this section.

The judge also ruled that the government was not in the wrong for failing to disclose to a magistrate judge that it planned to use a stingray to track the defendant, or to explain to the judge how the tracking device it intended to use worked. He characterized this information as a “detail of execution which need not be specified.”

“When the government is seeking a warrant to use new technology, it has the duty to explain to the court what that technology is and how it works,” she said. “Stingrays are a very potent example of why that is so, because it scoops up innocent information of third parties who are not under probable cause surveillance.”

“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

The patent system is broken. Barnes & Noble alone has been sued by "non practicing entities"—a/k/a patent trolls—well over twenty-five times and received an additional twenty-plus patent claims in the last five years. The claimants do not have products and are not competitors. They assert claims for the sole purpose of extorting money. Companies like Barnes & Noble have to choose between paying extortionate ransoms and settling the claim, or fighting in a judicial system ill equipped to handle baseless patent claims at costs that frequently reach millions of dollars.

In the current system, patent trolls overwhelm operating companies with baseless litigation that is extremely costly to defend. Patent cases generally cost at least $2M to take through trial, and frequently much more. Litigating, even to victory, also entails massive business disruption. Companies are forced to disclose their most sensitive and top-secret technical and financial information and must divert key personnel from critical business tasks to provide information and testimony. The process is exceptionally burdensome, especially on technical staff. Document discovery and depositions seem endless.

Patent trolls know this and as a result, they sue companies in droves and make settlement demands designed to maximize their financial take while making it cheaper and less painful to settle than to devote the resources necessary to defeat their claims. The current system lets them do so even with claims that are unlikely to prevail on the merits. That is because, whether win lose or draw, the rules effectively insulate trolls from negative consequences except perhaps a lower return than expected from any given company in any given case. They can sue on tenuous claims and still come out ahead. And so the broken system with its attendant leverage allows trolls to extract billions in blackmail from U.S. companies and, in the final analysis, consumers.

The Patent and Copyright Clause grants Congress the power "[t]o...promote the Progress of Science and useful Arts," not science fiction and litigious arts. (Article 1, Section 8, Clause 8 (emphasis added)). But the current system allows trolls to pursue fantastic allegations—claims that would be laughed out of the room in actual scientific or technical circles—in endless litigation that taxes and taxes true innovators while making no meaningful contribution to society. Barnes & Noble's experience exemplifies this and industry data confirms it. See, e.g., James Bessen & Michael J. Meurer, "The Direct Costs from NPE Disputes" at 2, Boston Univ. School of Law Working Paper No. 12–34 (June 28, 2012) (available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id= 2091210) (estimating direct costs of troll litigation on economy at $29 billion for 2011 based upon study that included data from 82 companies and finding additional empirical support for earlier conclusion that "much of the cost borne by technology companies as they defend against NPE lawsuits is a social loss and not a mere transfer"). The system has lost its true north.

Even the most plainly baseless lawsuits are expensive and can take years to defeat. In at least four cases, Barnes & Noble has faced litigation by patentees asserting the same theories on which they previously lost. In one case, for example, Barnes & Noble is alleged to infringe patents because BN.com uses the HTML language and returns search results other than exact matches. The patentee asserted these allegations against Barnes & Noble despite having tried and lost a case against other ecommerce retailers based on the same functional allegations levied against their websites. In two of these four cases, the patentees ceased pursuing claims against Barnes & Noble once the United States Court of Appeals for the Federal Circuit affirmed their earlier losses. But in two others, the appeals are not yet final and although Barnes & Noble has filed dispositive motions, the litigations have carried on actively for years.

In two other recent cases, Barnes & Noble achieved victory at the district court level on summary judgment. In one such case, the Court awarded Barnes & Noble its costs—but the total awarded was less than $50K. The company expended millions to achieve that victory, but attorneys’ and expert fees are not recoverable as a matter of course.

Appeals routinely follow summary judgment victories, and Barnes & Noble's experience has been no exception. The Federal Circuit now has a mandatory mediation program. In that program, Barnes & Noble has received demands for substantial settlement payments—even in cases that it won below. One such demand, for example, exceeded $3M. The settlement demands that patent trolls make on appeal, particularly in the wake of complete defeat, have nothing to do with the merits. They underscore the uncertainty and expense that accompany appeals and potential retrials in patent cases.

In a growing number of cases, patentees sue Barnes & Noble on multiple patents only to drop one or more of them before trial. This practice underscores that many patent claims are not made in good faith. Rather, plaintiffs frequently assert patents for additional leverage to force companies to expend significant resources mounting a defense on multiple fronts even when they know they will not ultimately prevail.

Barnes & Noble and other technology companies see countless lawsuits in which the asserted patents purport to cover products and technologies common to the entire industry. We face repeated allegations that anyone using Wi-Fi, anyone using 3G, anyone using MP3, anyone with an e-commerce website, anyone using Ethernet, and, recently, anyone using InfiniBand technology, to name a few, is infringing and must pay a hefty price to license purportedly essential patents. The allegations sweep far beyond specific innovations to which a patent might legitimately lay claim.

Require Losing Patentees to Pay Costs and Expenses, Including Attorneys' Fees

Require Actual Reduction to Practice and Commercialization

Cap Damages at the Amount Paid to Acquire a Patent

Require Clear and Convincing Proof that an Invention is New and Non-obvious for a Patent to Issue

Keep Trolls Out of the ITC

Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.

Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.

The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.

A report (PDF) published last month by the Congressional Research Service, a non-partisan arm of Congress, says the executive branch likely does not have the legal authority to authorize more widespread monitoring of communications unless Congress rewrites the law. "Such an executive action would contravene current federal laws protecting electronic communications," the report says.

Because it overrides all federal and state privacy laws, including the Wiretap Act, legislation called CISPA would formally authorize the program without the government resorting to 2511 letters. In other words, if CISPA, which the U.S. House of Representatives approved last week, becomes law, any data-sharing program would be placed on a solid legal footing. AT&T, Verizon, and wireless and cable providers have all written letters endorsing CISPA.

1. Suspending basic rights and due process out of fear is exactly the kind of thing that people attacking the US want to see. Showing that we can't live up to our most basic rights and principles in the face of a terrorist attack gives those who hate us that much more incentive to keep going. It's not just a sign of weakness, but an encouragement for those who seek to undermine our society. In fact, it takes a step in that very direction by showing that the government is willing to throw out the rules and principles when it gets a little scared by a teenager.
2. The slippery slope here is steep and extremely slick. There are no rules on when the DOJ can suddenly ignore Miranda. It gets to decide by itself. This is an organization with a long history of abusing its power, now allowed to wipe out one of the key protections for those they're arresting, whenever it sees fit. The whole point of the ruling in Miranda is that it should not be up to law enforcement. A person's rights are their rights.
3. The part that really gets me: if anything, this opens up a really, really stupid line of defense for Dzokhar Tsarnaev if he ever faces a criminal trial. His lawyers will undoubtedly claim that the arrest and interrogation was unconstitutional due to the lack of (or delay in) Miranda rights. Why even open up that possibility of a defense for him?
4. The guy has lived in the US for many years -- chances are he actually knows the fact that he has the right to refuse to speak. So, we're violating our principles, basic Constitutional due process, and opening up a massive opening for a defense, to avoid telling him something he likely already knows.

Among other things, the Government argued that, even if the individuals are never extradited to the United States, the Government can simply ignore Rule 4’s requirement that the summons be mailed to Megaupload’s “last known address within the district or to its principal place of business elsewhere in the United States” and instead mail it to an alternate destination. (See Dkt. 159 at 3-4 (suggesting that the Government could mail the summons to the Commonwealth of Virginia’s State Corporation Commission; or to the warehouse of third party vendor Carpathia Hosting; or to other third parties).) Previously, the Government had even suggested that Rule 4’s mailing requirement is merely hortatory, and that “[s]ervice of process in the corporate context . . . is complete upon delivering the summons to an officer or agent” of the corporation. (Dkt. 117 at 9-10.)

The Government’s letter is directly relevant to the Court’s consideration of Megaupload’s pending motion to dismiss without prejudice, as it contradicts the Government’s repeated contention that it can validly serve Megaupload—a wholly foreign entity that has never had an office in the United States—without regard for Rule 4’s mailing requirement. To the contrary, the Government explicitly acknowledges in the letter that it has a “duty” under the current Rule to mail a copy of the summons to a corporate defendant’s last known address within the district or to its principal place of business elsewhere in the United States. (See Exhibit 1 at 2.) Moreover, by seeking to have the mailing requirement eliminated, the Government implicitly admits it cannot validly serve Megaupload consistent with Rule 4 as currently written. Finally, contrary to the Government’s contentions before this Court that Rule 4’s existing provisions are mere accidents of drafting, the Government is acknowledging to the Advisory Committee that they are in fact well considered products of “the environment that influenced the original drafters of the Federal Rules of Criminal Procedure,” albeit an environment that the Government believes “no longer exists,” given what it calls the “new reality” of “federal criminal practice.” (Id. at 2- 3.) To the extent that the Government would urge this Court to work the same substantive modification of Rule 4 that it is urging upon the Advisory Committee, this Court should be forthrightly advised in the premises as to the nature of the Government’s request and the reasoning behind it.

The Government’s letter to the Advisory Committee thus confirms what Megaupload has argued all along—that the Government indicted Megaupload, branded it a criminal, froze every penny of its assets, took its servers offline, and inflicted a corporate death penalty, notwithstanding the fact that the Government had no prospect of serving the company in accordance with current law, yet to be amended. Megaupload should not be made to bear the burdens of criminal limbo while the Government seeks to rewrite the Federal Rules to suit its purposes.

Tax dollars are also used at the department to help the entertainment industry. The FBI has its own Investigative Publicity and Public Affairs Unit, which is dedicated to helping Hollywood make movies and TV shows, including “The Kingdom,” “Fast and Furious 4,” “CSI,” “Numb3rs” and “Without a Trace.” This perk for Hollywood comes with an annual price tag of $1.5 million to the American taxpayer.

The Department of Justice recommends amendments to Rule 4 of the Federal Rules of Criminal Procedure to permit the effective service of a summons on a foreign organization that has no agent or principal place of business within the United States. We view the proposed amendments to be necessary in order to effectively prosecute foreign organizations that engage in violations of domestic criminal law.

First, we recommend that Rule 4 be amended to remove the requirement that a copy of the summons be sent to the organization's last known mailing address within the district or principal place of business within the United States. Second, we recommend that Rule 4 be amended to provide the means to serve a summons upon an organization located outside the United States. The proposed amendments are necessary to ensure that organizations that commit domestic offenses are not able to avoid liability through the simple expedients of declining to maintain an agent, place of business and mailing address within the United States.

Accordingly, the United States maybe faced with the anomalous result that a private civil litigant will be able to pursue an action against an organization while the government remains helpless to vindicate the laws of the United States through a corresponding criminal proceeding.

Another example is provided by a pending case, United States v. Dotcom.... A grand jury returned an indictment against foreign organization Megaupload Limited and other defendants on racketeering, copyright infringement and money laundering charges. In response, Megaupload Limited — a foreign organization that has an extensive presence in the United States (it allegedly leased more than 1,000 servers in the United States, facilitated the distribution of illegally reproduced works throughout the United States, and has caused damages in excess of $500 million to victims) — has specially appeared and argued that it is immune from prosecution in the United States simply because it does not have an agent or mailing address in the United States: "Megaupload does not have an office in the United States, nor has it had one previously. Service of a criminal summons on Megaupload is therefore impossible, which forecloses the government from prosecuting Megaupload."

Last summer, in an effort to strike the right balance between government transparency and the protection of critical intelligence activities, the government declassified four statements concerning its activities pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) Amendments Act of 2008. Not content with that disclosure, Electronic Frontier Foundation (“EFF” or “Plaintiff”) submitted a Freedom of Information Act (“FOIA”) request seeking additional information related to two of the declassified statements, specifically, that on at least one occasion the Foreign Intelligence Surveillance Court (“FISC”) “held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment” and that “on at least one occasion the FISA Court has reached th[e ] conclusion” that “the government’s implementation of Section 702 of FISA has sometimes circumvented the spirit of the law.”

The government has determined that disclosure of the information withheld from Plaintiff could result in exceptionally grave and serious damage to the national security. Plaintiff obviously cannot contend otherwise. The Court accordingly should defer to the government’s determination in this case, uphold the Department’s withholdings, and grant this motion.

Yet, as the amicus brief points out, the OLC’s opinions aren’t some intermediary step toward establishing the final legal interpretations for the executive branch. In general, they are the final legal interpretations for the executive branch. The FBI could choose to exercise the authority that the OLC said it had — or not — but Congress, the judiciary and the public at large all deserve to know what the executive branch thinks it can do, once it issues a conclusive opinion.

"We believe we have an obligation and responsibility to help curb the sale and shipment of drugs sold through illegal Internet pharmacies," said Susan Rosenberg, a UPS spokeswoman.

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

As some of you may be aware, our office has been working closely with the magistrate judges in an effort to address their collective concerns regarding whether a pen register is sufficient to authorize the use of law enforcement's WIT technology (a box that simulates a cell tower and can be placed inside a van to help pinpoint an individual's location with some specificity) to locate an individual. It has recently come to my attention that many agents are still using WIT technology in the field although the pen register application does not make that explicit.

While we continue work on a long term fix for this problem, it is important that we are consistent and forthright in our pen register requests to the magistrates…

They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

[....] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.

The broadest provision, 18 U.S.C. §1030(a)(2)(c), makes it a crime to “exceed authorized access, and thereby obtain… information from any protected computer.” To the Justice Department, “exceeding authorized access” includes violating terms of service, and “any protected computer” includes just about any Web site or computer. The resulting breadth of criminality is staggering. As Professor Kerr writes, it “potentially regulates every use of every computer in the United States and even many millions of computers abroad.” You don’t have to be a raving libertarian to think that might be a problem. Dating sites, to borrow an example from Judge Alex Kozinski, usually mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department’s interpretation makes the American desk-worker a felon.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over.

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

"Eric Holder and the Department of Justice are clearly trying to mislead the Senate and the public. Holder claims that Aaron was only facing months in prison while Heymann and Ortiz were actively pursuing a penalty of 7 years if the case went to trial. If you believe you're innocent, you should not be coerced into accepting a plea bargain that marks you as a felon for life, just because prosecutors want to boast about taking a scalp. The discrepancy between the plea deal and the amount of prison time prosecutors said they would pursue at trial violates the DOJ's own guidelines in this regard. Holder is trying to engage in revisionist history at the same time he claims that the strict sentences pursued by prosecutors were a 'good use of prosecutorial discretion.'

What's worse, this isn't just about sentencing. Steve Heymann engaged in serious prosecutorial misconduct on multiple occasions. Public documents show that he instructed the Secret Service to seize and hold evidence without a warrant, violating the Fourth Amendment. He then lied to the judge about that fact in written briefs. And he withheld exculpatory evidence from Aaron's lawyers for over a year, despite both a legal and ethical obligation to turn it over. If this constitutes appropriate behavior from the perspective of the Department of Justice, then we live in a police state.

The Department of Justice is not interested in admitting their errors, even when an out of control US Attorney's office has cost this country one of our best and brightest. The DOJ is only interested in covering their asses."

It's illuminating to compare the minimum number of users affected by NSLs each year to the numbers we find in the government's official annual reports. In 2011—the last year for which we have a tally—the Justice Department acknowledged issuing 16,511 NSLs seeking information about U.S. persons, with a total of 7,201 Americans' information thus obtained. That's actually down from a staggering 14,212 Americans whose information DOJ reported obtaining via NSL the previous year. Remember, this total includes National Security Letters issued not just to all telecommunications providers—including online services like Google, broadband Internet companies, and cell phone carriers—but also "financial institutions," which are defined broadly to include a vast array of businesses beyond such obvious candidates as banks and credit card companies.

What ought to leap out at you here is the magnitude of Google's tally relative to that total: They got requests affecting at least 1,000 users in a year when DOJ reports just over 7,000 Americans affected by all NSLs—and it seems impossible that Google could account for anywhere remotely near a seventh of all NSL requests. Google, of course, is not limiting their tally to requests for information about Americans, which may explain part of the gap—but we know that, at least of a few years ago, the substantial majority of NSLs targeted Americans, and the proportion of the total targeting Americans was increasing year after year. As of 2006, for instance, 57 percent of NSL requests were for information about U.S. persons. So even if we reduce Google's minimum proportionately, that seems awfully high.

There's a simple enough explanation for this apparent discrepancy: The numbers DOJ reports each year explicitly exclude NSL requests for “basic subscriber information,” meaning the “name, address, and length of service” associated with an account, and only count more expansive requests that also demand more detailed “electronic communications transactional records” that are “parallel to” the “toll billing records” maintained by traditional phone companies.

As I've talked to the people who have looked into this matter, these news reports about what he was actually facing is not consistent with what the interaction was between the government and Mr. Swartz. A plea offer was made to him of 3 months, before the indictment. This case could have been resolved with a plea of 3 months. After the indictment, an offer was made and he could plead and serve 4 months. Even after that, a plea offer was made, of a range of zero to 6 months, that he would be able to argue for a probationary sentence. The government would be able to argue for up to a period of 6 months. There was never any intention for him to go to jail for a period longer than 3, 4, potentially 5 month range.

AARON SWARTZ, 24, was charged in an indictment with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. If convicted on these charges, SWARTZ faces up to 35 years in prison, to be followed by three years of supervised release, restitution, forfeiture and a fine of up to $1 million.

Cornyn: The subscription service didn't support the prosecution. Does it strike you as odd that the government would indict someone for crimes that would carry penalties of up to 35 years in prison and million dollar fines and then offer him a 3 or 4 month prison sentence?

Holder: Well I think that's a good use of prosecutorial discretion. To look at the conduct, regardless of what the statutory maximums were, and to fashion a sentence that was consistent with what the nature of the conduct was. And I think what those prosecutors did in offering 3, 4, 0 to 6 was consistent with that conduct.