How do you kick an anonymous person off of a network? Other than blocking the MAC address, the only thing I can think of is to block non-HTTP access and redirect any HTTP requests to a page explaining what has happened with instructions for getting unblocked in case the block was due to a misunderstanding.
I find it odd to provide unlimited access to a network without any further form of authentication than just the IP address. There are enough alternatives out (e.g. Shibboleth) that could have been implemented if there were a needed for closer monitoring of access to journal databases.
I guess if he had purchased multiple laptops to circumvent the filter, the prosecutor would have argued along similar lines.
So the problem is that there is room to argue that the notion of unauthorized access exists on a network that doesn't do anything to identify or authenticate users.
Sure, but people at a mall are personally identifiable. This is more like a mall full of clones,whom you can individually address but collectively not differentiate.
They were intentionally not installing a security system at their "mall" while catering to a bunch of high risk consumers (i.e. high level of knowledge addiction, know track record of MIT "hackers", etc). Since they were having identification systems for other clients in place, one could even suggest, that they had given up restricting the access towards this specific crowd.
If you want to change the discussion to "was Aaron's crime worth 7 years in prison?" that's different. (Note: he wasn't just getting onto their network to play Nettrek. Walking into a closed store at night that happened to be unlocked to be out of the cold for a few minutes is different than doing the same thing in order to interfere with their business.)
I guess I'll need to put the "Ob: I'm not saying Aaron's crimes were worth 7 years in prison" on every comment again. Thanks.
I don't think you've really considered the practical effects of "unless someone has put in place measures to do identity and authentication of all people that enter, they don't have the rights to keep out unwanted parties."
Evading a MAC filter should be equivalent to criminal trespass (usually a misdemeanor). There isn't any such notion in the law.
So the problem I have is with the structure and application of the CFAA, not so much with people having the right to keep out unwanted parties.
I did not put it clearly above, but I specifically meant unauthorized access where the CFAA would apply (in my world view, for circumvention to be a felony, the network operator needs to have some expectation the security mechanism will effectively prevent access).
If all we were talking about was just getting onto their network, then I'd agree. Just walking into a store where I'm not allowed should be a misdemeanor. Charges could increase, possibly to the felony level, depending on what I do after I'm in the store.
If MIT were tracking down someone who kept on using the network to send out shitloads of spam, and that person kept on bypassing all of MIT's countermeasures, and that person dropped a physical box into a wiring closet at MIT, no one would be confused about this.
in my world view
I disagree with your world view, but for now we can leave it at us disagreeing.
