In a radical departure from most Felony crime definitions, this one doesn't require showing any damage or criminal intent (both absent in this case). In this Computer Crime law, legislators replaced the usual criminal intent element with a "...for personal gain" clause. In an amazing feat of legal gymnastics, this clause was apparently satisfied by Mr. Schwartz' open admission that he expected his employer (Intel, the victim) to appreciate and reward his unauthorized efforts to help improve their security. Thus, his intent to help the 'victim' was key to successfully making a felon of him.
While it's clear that Mr. Schwartz made mistakes, and that they are particularly obvious mistakes in today's atmosphere, they were mistakes well within the bountries of socially positive 'common practice' in earlier times.
When 'wizards' saw or suspected a problem on any system that they were associated with, and it was within their power to 'fix' it easily, they did so, regardless of whether it was their job or not. They were rarely chastised and often praised for behaving this way.
There are several practical lessons every computer professional in Oregon should learn from this case:
1) The Computer Crime law is so broad that it's easy to violate unintentionally, and avoiding doing so at all costs may sometimes conflict with what you see as the best interests of your employer. In these cases, pull back emotionally a bit and think what the real consequences are to you personally. If policy doesn't let you do a good job, let management know. If they don't care after you've explained it a few times, document your concern and then let it go.
2) Stay beyond even the appearance of impropriety. If you're doing something that may look weird, let potential witnesses know in advance what you're up to. If you don't actively communicate, and it looks like a crime, your employers will probably call the police instead of asking directly for an explaination. Once the police are called, you start losing. The least damage you can hope for is some professional embarassment, and the mess can accelerate quickly into complete disruption of life and career. It's much easier to avoid raising unfounded suspicion than to quell it once it's been raised.
3) Remember that, ultimately, the police work for more for the prosecutor than 'the truth'. Their job is not to find the truth, it's to collect as much evidence as possible that you're guilty, whether you are or not. Once they start looking at you like a suspect, shut up. Don't try to explain what really happened without consulting a lawyer. Mr. Schwartz freely answered all their questions which, taken out of context, supported his conviction.
4) If case goes to court, realize that all the jury needs to hear is "blah blah blah, computer crime" and they'll convict, even if they don't understand a word of it. If you feel like crying, read the transcript of the prosecutors case devolving from mild incoherence into a completely meaningless string of buzzwords, and still getting a conviction.
http://www.rahul.net/jeffrey/ovs/cs2.html
The real unanswered (and mostly unaddressed) question left over from the Intel/Schwartz case is: Why did Intel continue to push for prosecution, once it became clear they had over-reacted? Possibly just for CYA (cover your ass-ets). Intel security freaked when they noticed randal was running the 'crack' program (a standard tool for both good guys and bad guys). They called the police, who got a warrant and searched Schwartz' residence for signs of IP theft (there were none). Intel representatives went in with the officers and helped with the search, which was argueably improper. At that point 2 things probably became clear: Schwartz wasn't up to anything nefarious, and Intel might have legal exposure for damaging Schwartz' reputation and wandering into his house on the coattails of the police. Since it was never revealed who at Intel decided to press for prosecution, we'll probably never completely understand their motivations.
We've recently seen legislation in other countries disallowing use of closed-source code (like MS Windows) in government because they recognized the practical power it gave the vendor to control the way they did business (forced upgrades into reduced functionality, possibility of spyware, etc).
Unless there is some dramatic changes, I think the USA will go the other way by setting legal standards that are intrinsically incompatible with Open Source.
When the DMCA is joined by the upcoming Disney-pushed SSSCA (mandates hardware/OS that supports digital rights management (ie, makes your computer second-guess you)), I expect the resulting 'standards' will make Linux (as we know it today) illegal.
SSSCA says an OS will have to include government-approved 'anti-piracy' measures, and it's difficult to see how Linux could be approved under such a standard. It's power, modularity, and open source nature make it very difficult to 'cripple' in a meaningful way.
The Linux community would overcome any superficial attempts at code-based restrictions on user actions (or access-control, as the DMCA calls it), at which point Linux itself would be removed from any SSSCA-approval lists it might have joined, and likely be declared an 'access control circumvention device' as well. Under the 1-2 punch of DMCA+SSSCA, anyone caught distributing Linux would be charged with at least one Felony (5 years in jail, etc, etc).
It seems unthinkably extreme, but a few years ago I wouldn't have believed that posting independently created source code necessary to make a Linux DVD Player would land someone in court (Apparent Motive: An unlicensed DVD Player would allow Europeans to view America-only DVDs before the films were released in theaters overseas).
A few months ago I wouldn't have believed that the FBI would actually arrest a Russian programmer, working in Russia, for writing a program that only allows full access to legitimately purchased e-books.
A few months ago I wouldn't have believed that the DoJ would continue to prosecute such a person even after the 'victim' declared that they didn't want to pursue it any further.
I certainly didn't expect the legislators who passed the DMCA (and will decide if SSSCA should pass) to respond to these and other examples of free-speech surpression by saying the DMCA is working exactly the way they wanted it to!
Slashdot Mirror
In a radical departure from most Felony crime definitions, this one doesn't require showing any damage or criminal intent (both absent in this case). In this Computer Crime law, legislators replaced the usual criminal intent element with a "...for personal gain" clause. In an amazing feat of legal gymnastics, this clause was apparently satisfied by Mr. Schwartz' open admission that he expected his employer (Intel, the victim) to appreciate and reward his unauthorized efforts to help improve their security. Thus, his intent to help the 'victim' was key to successfully making a felon of him.
While it's clear that Mr. Schwartz made mistakes, and that they are particularly obvious mistakes in today's atmosphere, they were mistakes well within the bountries of socially positive 'common practice' in earlier times.
When 'wizards' saw or suspected a problem on any system that they were associated with, and it was within their power to 'fix' it easily, they did so, regardless of whether it was their job or not. They were rarely chastised and often praised for behaving this way.
There are several practical lessons every computer professional in Oregon should learn from this case:
1) The Computer Crime law is so broad that it's easy to violate unintentionally, and avoiding doing so at all costs may sometimes conflict with what you see as the best interests of your employer. In these cases, pull back emotionally a bit and think what the real consequences are to you personally. If policy doesn't let you do a good job, let management know. If they don't care after you've explained it a few times, document your concern and then let it go.
2) Stay beyond even the appearance of impropriety. If you're doing something that may look weird, let potential witnesses know in advance what you're up to. If you don't actively communicate, and it looks like a crime, your employers will probably call the police instead of asking directly for an explaination. Once the police are called, you start losing. The least damage you can hope for is some professional embarassment, and the mess can accelerate quickly into complete disruption of life and career. It's much easier to avoid raising unfounded suspicion than to quell it once it's been raised.
3) Remember that, ultimately, the police work for more for the prosecutor than 'the truth'. Their job is not to find the truth, it's to collect as much evidence as possible that you're guilty, whether you are or not. Once they start looking at you like a suspect, shut up. Don't try to explain what really happened without consulting a lawyer. Mr. Schwartz freely answered all their questions which, taken out of context, supported his conviction.
4) If case goes to court, realize that all the jury needs to hear is "blah blah blah, computer crime" and they'll convict, even if they don't understand a word of it. If you feel like crying, read the transcript of the prosecutors case devolving from mild incoherence into a completely meaningless string of buzzwords, and still getting a conviction.
http://www.rahul.net/jeffrey/ovs/cs2.html
The real unanswered (and mostly unaddressed) question left over from the Intel/Schwartz case is: Why did Intel continue to push for prosecution, once it became clear they had over-reacted? Possibly just for CYA (cover your ass-ets). Intel security freaked when they noticed randal was running the 'crack' program (a standard tool for both good guys and bad guys). They called the police, who got a warrant and searched Schwartz' residence for signs of IP theft (there were none). Intel representatives went in with the officers and helped with the search, which was argueably improper. At that point 2 things probably became clear: Schwartz wasn't up to anything nefarious, and Intel might have legal exposure for damaging Schwartz' reputation and wandering into his house on the coattails of the police. Since it was never revealed who at Intel decided to press for prosecution, we'll probably never completely understand their motivations.
...And maybe Linux will disappear instead.
We've recently seen legislation in other countries disallowing use of closed-source code (like MS Windows) in government because they recognized the practical power it gave the vendor to control the way they did business (forced upgrades into reduced functionality, possibility of spyware, etc).
Unless there is some dramatic changes, I think the USA will go the other way by setting legal standards that are intrinsically incompatible with Open Source.
When the DMCA is joined by the upcoming Disney-pushed SSSCA (mandates hardware/OS that supports digital rights management (ie, makes your computer second-guess you)), I expect the resulting 'standards' will make Linux (as we know it today) illegal.
SSSCA says an OS will have to include government-approved 'anti-piracy' measures, and it's difficult to see how Linux could be approved under such a standard. It's power, modularity, and open source nature make it very difficult to 'cripple' in a meaningful way.
The Linux community would overcome any superficial attempts at code-based restrictions on user actions (or access-control, as the DMCA calls it), at which point Linux itself would be removed from any SSSCA-approval lists it might have joined, and likely be declared an 'access control circumvention device' as well. Under the 1-2 punch of DMCA+SSSCA, anyone caught distributing Linux would be charged with at least one Felony (5 years in jail, etc, etc).
It seems unthinkably extreme, but a few years ago I wouldn't have believed that posting independently created source code necessary to make a Linux DVD Player would land someone in court (Apparent Motive: An unlicensed DVD Player would allow Europeans to view America-only DVDs before the films were released in theaters overseas).
A few months ago I wouldn't have believed that the FBI would actually arrest a Russian programmer, working in Russia, for writing a program that only allows full access to legitimately purchased e-books.
A few months ago I wouldn't have believed that the DoJ would continue to prosecute such a person even after the 'victim' declared that they didn't want to pursue it any further.
I certainly didn't expect the legislators who passed the DMCA (and will decide if SSSCA should pass) to respond to these and other examples of free-speech surpression by saying the DMCA is working exactly the way they wanted it to!