Artificial Interruption
by Alexander Urbelis (alex@urbel.is)
Justice as a KPI
Sitting in my office in midtown Manhattan at the end of May, the sun was shining and, while in the midst of writing something on a short deadline and deep in thought, I was distracted, as always, by an Exchange notification of a new email. Though these new email notifications can often be disproportionate in their ability to be disruptive relative their temporality, this one was particularly so. In the two lines of text that popped into the lower right hand corner of the monitor, I saw something unusual: a notification that the Department of Justice had revised its prosecutorial guidelines for bringing charges under the Computer Fraud and Abuse Act (CFAA).
The notification was effective. My interest was piqued. I clicked the banner, opened the email, and was amazed to find the entirety of the email just as fascinating. I learned these new prosecutorial guidelines mandated that "good faith security research" would no longer be treated as a crime under the CFAA. This seemed like a victory for white hats, security researchers, pen-testers, bounty hunters, etc., depending on how these new guidelines defined the contours of good faith security research. Too narrow and the change would have no effect; too broad and the statute itself would lose its meaning and force.
The CFAA is a famous and infamous statute: on the books since 1986, proposed by Congress in 1984, and drafted in direct response to the cult classic hacker flick WarGames. The new guidelines for prosecution under the CFAA coincidentally take their definition of "good faith security research" from another infamous statute in the hacker community, the Digital Millennium Copyright Act (DMCA), under which the Motion Picture of Association of America (MPAA) sued 2600 Magazine just about 23 years ago. Because the DMCA deals in some respects with reverse engineering and security testing, it had a fairly broad definition of "good faith security research," i.e., "Accessing a computer solely for purposes of good faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."
On the surface, this looks like rather expansive classes of activities that should not fall afoul of the CFAA. That said, there are many ways this definition can be interpreted and, for this reason, security researchers and prosecutors are likely to disagree on boundaries. As such, the CFAA will continue to exist as a nuanced law subject to multiple interpretations. These boundaries, by the time of publication of this article, will no doubt have already been addressed in a robust, respectful, and meaningful way at the HOPE panel I will have moderated.
But even now, on a gut level, the mere idea that good faith security research, that ethical hacking, is not outside the law but within it, should finally feel like the hacker community is seeing the policy changes it clamored for over the last three decades - that finally things are looking more just. Even though the law is not changed, the new guidelines are a public statement of what the DOJ believes is right and wrong, and of what is just and unjust to pursue as a prosecution.
Because of this shift towards justness, I began to ruminate, to re-think justice, the very elusive nature of that concept itself, with a particular focus on how to measure justice. Since this policy change would result in DOJ prosecuting fewer actions as crimes, would a lower number of CFAA prosecutions signal a greater amount of justice? How would the efficacy of this policy change be measured? What, if anything, can we make of differences in interpretation of these new guidelines between U.S. Attorneys' Offices? If there are fewer cases in New York brought under the CFAA but an increasing amount in, say, Kentucky, then what does that say about the result of the new guidelines? In short, can we measure justice like it's some kind of Key Performance Indicator (KPI)?
It's certainly not how Aristotle thought of it. As an undergraduate, I was very fortunate to have the opportunity to attend Oxford University as a visiting student. While there, I studied Aristotle's Nicomachean Ethics with a truly great man, the Rev. Dr. Cyril Barrett. Cyril was an Irish Jesuit priest in the most irreverent, progressive, and controversial ways possible. I recall many fervent discussions during tutorials with Cyril about whether Aristotle had it right or totally wrong, and a good deal of those discussions centered around the concept of justice.
Justice was a virtue to Aristotle; it was a standard of conduct to which humans should strive. Virtue, as Aristotle famously defined it, existed in the middle ground (i.e., the mean) between excess and defect. This concept makes sense for characteristics like temperance or moderation, because an excess of temperance would make one fussy and overly prudent, while on the other hand, a defect of moderation could lead to extreme or disproportionate behavior, like binge drinking. In the context of drinking, Aristotle would have neither approved of persons who were straight-edge nor persons who regularly drank too much - moderation was the key to virtue. Going too far in either direction from the mean, according to Aristotle, would lead to vice.
For Aristotle, justice was also a virtue - a rational mean between two extremes. While we can certainly envision there being a defect of justice or, in other words, too little justice, it does not necessarily make sense that there could be too much justice. Moving in the direction of ensuring a just result, viz. achieving justice, seems exactly like what a governmental agency that calls itself the Department of Justice should be doing.
On the defect of justice side in the specific context of the CFAA, we have an example from our community that will always make our hearts heavy: Aaron Swartz. Over a decade ago, based on what appears to be a now-rejected view of what the CFAA covers, the DOJ charged Aaron with eleven CFAA violations for systematically downloading academic journals from JSTOR. The U.S. Attorney's Office in Massachusetts intended to use Aaron's case to send a message. The State of Massachusetts, on the other hand, declined to bring any charges against Aaron for the same conduct. Nearly two years later, after DOJ rejected a plea arrangement, Aaron hanged himself in his Brooklyn apartment. If ever there was a defect of justice, this case was it. To the contrary, did the decision of the State of Massachusetts to not view this conduct as criminal create an excess of justice? I say no: Aaron surely suffered and learned his lesson by the mere fact that both the State of Massachusetts and the U.S. Department of Justice were investigating his conduct. Viewed in the light of the new guidelines, even contemplating pursuing charges against Aaron's conduct could be seen as a defect of justice.
That raises the issue of whether the guidelines changes are too little too late. Overzealous pursuit of CFAA charges took a precious life from our community. The government moves slowly, arguably too slowly, but at least this is movement, and movement in the right direction.
I submit that, in Aristotelian terms, there may now be a way to measure the impact of the CFAA policy changes on whether the Department of Justice is pursuing just cases. The first metric would be to take the total number of cases where CFAA charges are contemplated, which we can call N. Subtract from N the total number of cases across the United States for which U.S. Attorneys' Offices have declined prosecution on account of new guidelines' carve-out for good faith security research. We can call that total D. Thus, the equation of (N - D) = the total number of cases actually pursued under the CFAA, which we can call C. Let P = the total number of CFAA cases pursued across the United States in previous years.
P should be greater than C. If C is greater than P, then it is likely that the new guidelines are not being implemented or there is a problem of inconsistent interpretation. C, therefore,could be further analyzed by jurisdiction. Unless there are a greater number of CFAA cases countrywide that fall outside of the new guidelines, C should decrease. The percentage of C's decrease can thus act as an Aristotelian marker as the spot that indicates the mean, or the middle ground, for justice.
Measurements such as these, though not actuarial in nature and certainly subject to some variance based on the facts and circumstances of individual cases, should also allow easier recognition of cases that would fall outside the mean of justice - cases like Aaron Swartz's. Those cases tend to be the ones that the government pursues to send a message, and which would deter future conduct. Those cases, therefore, are more likely to be inherently defective of justice, or more colloquially, those cases are simply less just. It is for this reason that I submit that U.S. Attorneys should be measured, not by their convictions, but by the use of sound discretion in declining to pursue certain cases.
Those declinations indicate an understanding of the need and place for good faith security research, a recognition of the policy errors of the past, and a commitment to prevent injustice going forward. This is an area where less can certainly be more as we, as a community and a country, continue to struggle with and strive for justice.