EFF filed a brief today in U.S. v. Lowson, again arguing that public websites can not decide who is and is not a criminal.

For why you should care about what happens to a bunch of Wiseguys cutting the virtual line for ticket purchases, check out my blog post.

New Research Suggests That Governments May Fake SSL Certificates | Electronic Frontier Foundation.

Prepaid Providers Seek to Put Locks On Your Phone and Their Hands In Your Pocket.

The awesome Ars Technica picks up my deeplink about an important new Ninth Circuit case interpreting the Computer Fraud and Abuse Act.

Are employees who use their workplace computers contrary to the interests of their employers criminals under the Computer Fraud and Abuse Act? Yesterday, the Ninth Circuit Court of Appeals said disloyal keyboarding is not a crime in LVRC Holdings v. Brekka.

Click through for more.

I’m blogging again, starting with this post on EFF Deeplinks about the September 2008 amendments to the Computer Fraud and Abuse Act.

Here’s the upshot:

The amendments broaden the already extensive reach of the law, and fail to clarify the most vexing question about the statute, the definition of “unauthorized access”. However, they do shed some light on the issue of what constitutes the necessary element of “damage”, showing that several cases holding that mere unauthorized viewing of data is sufficient for a CFAA claim were wrongly decided. As a result, the new amendments may give internet innovators, researchers and speakers some arguments that could keep search engines, vulnerability reporting and other legitimate uses of computer systems legal.

Click through for more CFAA wonking out.

My recent post on the EFF blog talks about the difficulty that web security researchers have doing their work, in light of the Computer Fraud and Abuse Act and similar state statutes. While pen testers and other hired security guns can get written authorization to do security audits, members of the public have little leeway to explore the ways a website works or breaks, even when that vulnerability means that customer data is exposed to fraudsters. Read the post –Computer Crime Laws Chill Discovery of Customer Privacy Threats | Electronic Frontier Foundation– for more about the issue.

In yesterday’s Circuit Court column “Free the Spam King” I take on the question of whether criminal prosecutions will stop spam, or are even fair. This one has engendered a lot of hate mail. It seems the only thing people hate more than child porn is spam.

Some of the comments following Bruce’s discussion of the Andrus case and Fourth Amendment issues when a computer search is based on third party consent are interesting: Read them here. Get Professor Ohm’s and my brief here.

Paul Ohm and I wrote an amicus brief in the 10th Circuit case of US v. Andrus, the opinion I wrote about in last week’s Wired News column. In the case, the defendant’s aged father gave officers permission to search his adult son’s computer without a warrant. The father, however, did not have the authority to consent and the computer was password protected. The officers used EnCase, which is not limited by password protection, and have thus successfully claimed that they had no reason to know that the father was locked out of the machine did not have the authority to allow their search.

If you are interested in the brief, which discusses why the Fourth Amendment requires that digital locks be treated the same as physical locks as well as the hypocrisy of investigators who claim EnCase gave them no clue that the father was locked out of the machine, while routinely using the very same program to identify passwords and permissions for the purpose of proving ownership of contraband files, you can download it. (pdf)

I link to the original decision and my column from this earlier post.

Michigan man dodges prison in theft of Wi-Fi | Tech news blog – CNET News.com

Arrgh! Why don’t these wi-fi users call me? I’d love to help fight a prosecution like this.  Apparently, Orin Kerr and I agree that there are a lot of solid defenses to this kind of charge.  I’ve even written a motion that is a broader corollary of the due process claim Orin describes.
The brief argues that Anglo-American jurisprudence usually requires that the criminal defendant have a guilty state of mind (mens rea) and that if a statute does not expressly state that the crime is one of strict liability, then courts must read mens rea into the statute.  What this means for users of open wireless access points is that the prosecution should have to prove that they knew their access was prohibited by the owner, and that lack of authorization can not be presumed, especially in the absence of security barriers or warnings.
Now I’m just waiting for an opportunity to use this argument.