A whole bunch of insanely famous security researchers, plus myself, wrote an amicus brief for Weev. Go read it at https://github.com/ussjoin/weevamicus/releases.
Update, July 29, 2013: Two good articles on the amicus brief and the effect that Weev’s conviction has as we approach the DEF CON and Black Hat USA season: Security researchers file appeal for Weev following AT&T/iPad “hack” and Fear of prosecution hampers security research, the latter of which focuses particularly on the damaging effects to all consumers from harassing independent security researchers.
I’m a hacker; I’m also a law student. I’ve spent some time trying to convince those in column A that they need to also spend some time in column B; we need more people who can do both. I haven’t been able to spend a huge amount of time doing both at once—but that changed over the last few months.
Back at ShmooCon 2013, Meredith Patterson, Dan Hirsch, Sergey Bratus, and I were discussing Weev—for those of you who haven’t followed, he got sent to prison for 41 months for adding 1. This is one of those really, really bad ideas: the interpretation of the Computer Fraud and Abuse Act that the government used to convict him was that even public information, publicly served, could be restricted if someone said so, after the fact. A lot of security researchers have publicly destroyed their work, representing months or years of their time, rather than try to do their work after this conviction. It’s terrifying, and for good reason: if Weev, then all of us, too.
So what did we do?
We formed a group to write what’s called an amicus brief. Amicus is short for amicus curiae, or friend of the court; the plural is amici curiae. An amicus brief, then, is a kind of letter to the court, asking them to take into account the perspective of some group that isn’t party to the litigation—which in the case of a criminal case, means someone who isn’t the defendant or the government. In this case, the perspective is that of the independent security researchers who are affected, and the court in question is the Third Circuit Court of Appeals, since that’s where Weev’s appeal is sitting now.
I was chosen to do the primary drafting on the brief, since I’m a law student and was willing. A friend of mine, Alex Muentz, who’s a Real Lawyer who practices in Pennsylvania, was willing to sign the brief and submit it to the Third Circuit (because he’s awesome). A whole lot of work later, I had an initial draft, which the amici tore apart; over the next two months, then, we built something pretty good. It was a heck of a team effort: every single member of the group contributed at least a thought to the brief that we didn’t have before, and several contributed a lot of great material and ideas. All the work was done for free, even by the Real Lawyers (of which there are two, Alex and Peyton, in the amicus group).
In the end, we were fortunate enough to receive consent to file from both parties—both Tor Ekeland, who’s Weev’s attorney, and the US Attorney assigned to the appeal. This was great; courts usually let amici file, but not always, so it removed one last speedbump.
So who are these mysterious amici? It’s a pretty epic list: we kick the Magnificent Seven’s butts.
- Meredith Patterson - she of LangSec fame, among many other areas of fame
- Brendan O’Connor - your humble scrivener
- Professor Sergey Bratus - Patron Saint of the Gospel of the Weird Machines
- Professor Gabriella Coleman - Hacker historian and scholar writ large
- Peyton Engel - Hacker, pen tester, Real Lawyer, and generally neat guy
- Professor Matthew Green - Cryptographer, great professor, gets interviewed a lot about all his research
- Dan Hirsch - Another LangSec researcher, analyst, and cool dude
- Dan Kaminsky - Do I really need to introduce Dan Kaminsky?
- Professor Samuel Liles - a professor doing research on “cyber warfare”
- Shane MacDougall - 2x Defcon Black Badge winner, social engineer extraordinaire
- Brian Martin - The man behind the legend behind the squirrel
- C. “Space Rogue” Thomas - Founding member of The L0pht
- Peiter “Mudge” Zatko - Another founder of The L0pht, but also a now-former DARPA Program Manager, responsible for Cyber Fast Track
To make sure the court knew how cool these people were, we made an Appendix. Ordinarily, the appendix on these sorts of briefs is reserved for documents from the record, affidavits, etc. Instead, we attached the CVs of everyone in the group—a staggering 61 pages worth, in the end.
What happens now?
Well, the brief’s done (it will be submitted on July 8, 2013); we can hope the court reads it. The attorney on behalf of the United States will be able to write his brief, after which Weev’s attorneys will have one more shot. The amici will be done, however; we don’t write response briefs (unless the court specifically asks us; in general, if a Court of Appeals says to write more, you do that).
So now we wait, and hope. If you’d like to donate to Weev’s ongoing legal battles, you can do so at the CFAA Defense Fund, which is set up by Weev’s attorneys. We did our work pro bono so they don’t have to.
Thanks, of course, to all of the amici—especially those who signed on at the beginning, when the draft was nonexistent or terrible. Thanks also to all those who proofread the drafts, often over and over—including my parents (both Real Lawyers), my brother (also a Real Lawyer, who graduated in May), and my girlfriend, Kathryn Sweet, who in addition to reading several drafts of the brief and fixing my grammar, also had to deal with me while I wrote it—for about three months.
If you’d like to talk to me about this, leave a comment below, or email me: blog -at- ussjoin -dot- com.
Postscript: Why Defend Weev?
I want to draw out my earlier concept a bit: if Weev, then everyone. Why? After all, Weev is a notorious troll. He’s ranted at some length about his dislike for Aaron Swartz, and in general, people dislike him. What could be wrong with letting him rot in prison, and waiting for someone we like more to be thrown in prison next? We’ll get the next one.
We can’t do that: mighty Casey will strike out, immediately; he got three strikes, but we only get one. In the United States, we have a system of precedent: higher courts rule, and their rulings control lower courts. Higher courts can overrule themselves, and sometimes do; for instance, in 2003, the United States Supreme Court ruled in Lawrence v. Texas, which overturned its previous decision in Bowers v. Hardwick that gays were evil. (I am paraphrasing.) Obviously, more recently, they’ve taken larger steps for the GLBT community. So that happens.
But it doesn’t happen much; it takes a long time for a court to recognize that it did the wrong thing. So in the interim, people live their entire lifetimes under the wrong rule of law—whether that’s in slavery, whether that’s working until people die from exhaustion, or any other area in which they might not be doing too well. And that assumes the right rule of law ever comes out: in Buck v. Bell, the Supreme Court allowed the forced sterilization of “mental defectives,” and they’ve never overturned that. (There are a few specific reasons that Buck still stands today, actually—but it’s true that it’s generally considered a constitutional right to have children, these days. If you’re curious why they haven’t overturned Buck, ping me.)
So what does this have to do with Weev? Well, it’s like this: Weev has appealed to the Third Circuit Court of Appeals, which has precedential weight: what they say becomes the law, until they change their minds (or the Supreme Court changes them for them). We can’t afford, as a community, to spend twenty, thirty, fifty, or a hundred years in a situation where corporations can retroactively punish users of the web for looking at their publicly-offered websites. Not only will that immediately destroy the security research community, but it will, ultimately, destroy the Internet as it stands. (Imagine you dislike someone. If they read your blog, even once, you can later call the FBI and state that they accessed your website without permission, and push for a felony conviction. Sound far-fetched? That’s essentially what the EFF concluded, too. It’s terrifying, and the EFF was talking about Terms of Service violations—and in Weev’s case, there wasn’t even a TOS at issue.)
The moment to stand and fight this is, therefore, now; “They claimed it was for the sake of their grandparents and grandchildren, but it was of course for the sake of their grandparent’s grandchildren, and their grandchildren’s grandparents.” (Young Zaphod Plays it Safe, by Douglas Adams.) And don’t think that living outside the Third Circuit (Delaware, New Jersey, Pennsylvania) makes you safe: Weev was actually in Arkansas when he allegedly committed his “crimes.” Since Internet traffic goes everywhere, there’s always a way to make venue lie in a particular area.
As I said back in April: Miranda was a rapist, Washington was a murderer, and Gideon was a thief. We don’t have to like someone to agree that they need their rights protected—because if we don’t defend them, we will all lose our rights. That’s the way criminal law works. So we defend Weev, because in doing so, we defend us all. Not a bad idea.