Note, that doesn't mean I think you should get 30 years in prison for simply walking across my lawn.
Agreed, which is one reason it is important in this conversation to separate false identity from trespassing.
The relevance of the security measure is that it serves to prove that the trespasser knew he wasn't allowed on the property.
Ah! Exactly! Which is why this conversation is important. The OP has said that he effectively always says no when asked if he is "Insert Name". My example is also poor, because asking someone if they are Bob Dylan also informs them that Bob Dylan is restricted from entry, which means something to the law.
A better example would be a security system based on something fleeting and baseless, like your favorite color. You might have always liked the same color, or you might change favorite colors every year, or you might just tell people a different color because no one really knows what your favorite color is but you anyway. If the security call box asked you what your favorite color was, you told them something random, and they let you in, is that illegal? The security guard never said that people whose favorite color is X are not allowed, he just asked what your favorite color was, and then he let you in.
You're going to all sorts of gyrations to avoid the obvious. The fundamental question is still: do you know that you are being singled out?
Favorite colors are non-specific enough that you might reasonably not know. But MAC addresses aren't like favorite colors. Every Ethernet device has a unique one. If you find your MAC address banned, I think you can reasonably conclude that you're being singled out.
You're going to all sorts of gyrations to avoid the obvious. The fundamental question is still: do you know that you're not allowed?
I agree that I'm darting around, but it's in the interest of truth. Here's the problem: if Aaron was running an automated MAC randomization system for the purpose of personal privacy, he would never have known that his MAC was blocked. The details of his case show that he was aware, but this OP describes a situation in which there is no awareness. If the law is primarily concerned with the knowledge aspect, this can be attended to on a case by case basis. However, much of the discussion has suggested that a MAC is an identifier, and any alteration of this identifier is criminal. This should not be the case.
Swartz was not running an automated MAC randomization system.
His defense team vigorously contested the searches of his home, office, computers, even the netbook found in the closet at MIT under the aegis of his expectation of privacy at MIT; his team also attempted to have wire fraud indictments dismissed by challenging the notion of IP and MAC address "spoofing" constituted false statements. If Swartz had been continuously "spoofing" his addresses, he surely would have raised that point. Instead, he appears to stipulate that he was altering his addresses to bypass the authorization controls at MIT.
I wrote the first line of this comment a couple hours ago because I remembered reading this on Sunday, but it took me a while to track down the exact filing.
>By the same token, obtaining new
IP addresses by “spoofing,” i.e., changing, the Acer’s MAC address, Indictment, ¶¶19(a)-(c), 27(a)-(c), also cannot constitute false statements or misrepresentations or omissions of material fact, nor can Swartz’s use of an automated collection device which made it appear that multiple people were
requesting articles rather than a single person making multiple requests, Indictment, ¶34(c). //
So they're really claiming that writing a program to appear to be many people accessing data when only being one person, that program solely being to gain unauthorised access, wasn't fraudulent at all.
Yes. Engineers deal with uncooperative systems all the time. One might have the task of getting SCADA system A to integrate with financial system B, and report to management system C. But SCADA system A rate limits requests from a single origin, and the financial calculations will be inaccurate without more frequent updates. So, the engineer creates a system that appears to be multiple different origins to SCADA system A, and the world still turns.
I think what terrifies lawmakers and non-technical people is that, for the first time in history, computers present a potential world in which their expectations of the outcome of force and command do not apply; a virtual universe in which the laws are entirely different, and it takes bending over backwards to make the old laws of the physical world apply in the virtual world. So they do the only thing they know how, apply the physical world's laws of force and command to that chunk of the physical world at the opposite end of the virtual world, in a scale that is proportional to their vast fear instead of the actual behavior.
OK but you don't do that for other peoples industrial control units.
Look I've done MAC spoofing, switched UA's, tunnelling, used VPNs and such; it's not rocket science - certainly a moderately computer able person with legal training is going to be able to understand such things.
It's like signing up for multiple API keys in contravention of the ToS, you know it's not authorised.
There's nothing especially technical about what happened my only incredulity is that anyone supposes a person doing such a hack wouldn't know it's not _authorised_ (ie countenanced by the system owners). The first thought in addressing the access limit is that switching IP and/or MAC and/or UA is likely to enable access to 3(?) more JSTOR docs - but there's a realisation implicit within that of the JSTOR owners having only authorised a very limited access.
Now if we're talking about the ridiculousness of the proposed sentence that's an entirely different matter ...
As an aside I'm surprised no-one has crowdsourced the gathering of all JSTOR docs, they'd need an index, a script to pass the links to a person for download and a repository for upload. It would be just as copyright infringing as any other method but far harder to trace - the majority of it could be automated I'd expect (perhaps not the JSTOR registration).
I'm not an expert in the law, but I don't think it's the case that "any alteration of the identifier is criminal."
Now, is it the case that if you habitually use MAC address randomization and try to access a network repeatedly without permission, your randomization of MAC address might be interpreted as a way of trying to get around blocks? This is quite possible, and will be handled by a jury that probably doesn't understand why anyone would randomize their MAC address any more than they would understand why anyone would habitually walk around wearing a ski mask. I think that's a legitimate concern.
This is quite possible, and will be handled by a jury that probably doesn't understand why anyone would randomize their MAC address any more than they would understand why anyone would habitually walk around wearing a ski mask.
I would hope that someone would realize that wearing a ski mask for no reason has considerable downsides, while changing you MAC address for no reason has none.
What if someone uses different devices instead of changing the identifier of one device? A policy that very explicitly says you can only take so much food on a plate, but that anyone can take a new plate, doesn't suggest that the server is too concerned about how much food is served.
> I would hope that someone would realize that wearing a ski mask for no reason has considerable downsides
On this note, I recall several years ago while in college getting a mass email from administration that warned students not to wear masks during Halloween on the street because doing so was banned in the city. A quick googling just now doesn't turn up anything of the sort, though it does seem some other states have laws concerning masks, though often with exceptions for children, holidays, religion, education, etc.
However, much of the discussion has suggested that a MAC is an identifier, and any alteration of this identifier is criminal. This should not be the case.
Who specifically has suggested that it should be the case? You're constructing a strawman or not reading what people are writing.
The criminal act is continuing to do something after you've been told to stop.
Agreed, which is one reason it is important in this conversation to separate false identity from trespassing.
The relevance of the security measure is that it serves to prove that the trespasser knew he wasn't allowed on the property.
Ah! Exactly! Which is why this conversation is important. The OP has said that he effectively always says no when asked if he is "Insert Name". My example is also poor, because asking someone if they are Bob Dylan also informs them that Bob Dylan is restricted from entry, which means something to the law.
A better example would be a security system based on something fleeting and baseless, like your favorite color. You might have always liked the same color, or you might change favorite colors every year, or you might just tell people a different color because no one really knows what your favorite color is but you anyway. If the security call box asked you what your favorite color was, you told them something random, and they let you in, is that illegal? The security guard never said that people whose favorite color is X are not allowed, he just asked what your favorite color was, and then he let you in.