"Knowledge and concious disregard for the fact that your work is being used to commit a crime is indeed malicious intent."

Cryptographers beware...

"computer-related crime"

Except that "computer-related crime" has come to mean "any crime in which a computer is used." As more and more things become computerized, more and more crimes will be "computer-related." Eventually everyone who is accused of a crime will also be accused of a CFAA violation, which will weaken everyone's defense.

"If you're trying to show the injustices of a law, it's generally a good idea to find sympathetic defendants rather than criminals or their accomplices"

Henry Louis Mencken addressed this more eloquently than I can:

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."

Just as there is a difference between making guns in general, and making a specific gun for a friend who has indicated that he will use it for a specific crime, there is a difference between making programs which can be used in crimes in general and making specific programs to aid and abet specific future crimes.

Your point about computer crimes becoming more prevalent is certainly justification to alter legislation dealing with computer crimes so that minor infractions have minor penalties, but I never saw rayiner arguing to the contrary.

IANAL, but I think "knowledge ... a crime" means a particular crime, not a general category. So if you reasonably suspect that your work might be useful to criminals, that's not conspiracy, but as soon as one particular criminal tells you he intends to use your software for a particular crime, you're a conspirator unless you report him to the authorities. So honest cryptographers have nothing to fear, unless a criminal tells them about his crypto-assisted crimes and they don't report it.

>If you're trying to show the injustices of a law, it's generally a good idea to find sympathetic defendants rather than criminals or their accomplices.

So what do you do if you're trying to show that the law has excessive and disproportionate penalties?

I'd find a better case, for starters.

The trade secret charge has the harshest penalty, and is independent of computer use.

The conspiracy charge has the same maximum as the unauthorized network access charge.

Someone who is an expert at the Federal Sentencing Guidelines will have to chime in with what that means for an eventual sentence, but I suspect that even if the computer violation were considered extremely minor that it would have nearly the same marginal effect on the eventual sentence, once the trade secret and conspiracy sentences are thrown into the mix.

Even if the prosecutors had never mentioned the term "computer" this guy would be in some deep shit...

>I'd find a better case, for starters.

I was responding to the general point.

But as for finding a better case, the problem is that you don't get to pick which cases get prosecuted. If the parties have decided to appeal then a precedent is going to be set here one way or the other. So let him go to jail for what he actually did -- there is no reason to allow the CFAA charge to be piled on top of that and set a terrible precedent for next time when the defendant is sympathetic but the question has already been settled.

Why is it OK to have a law against something as general as mail fraud, given that pretty much everyone has used the post at some time or another, but have no law at all regarding computer crimes?

I would understand arguing that CFAA in particular is overbroad but it's hard to claim it's being used in this case in a way that's inconsistent with the rest of the U.S. Code. In fact even the CFAA is more narrowly-focused than the aforementioned mail fraud law.

And that's what I mean by "finding a better case". This is simply not a suitable demonstration of stupendous overreach. Prosecutors pile charges on, that's what they do. They only get one trial to sort everything out and entire swaths of their case can be thrown out in one fell swoop so yes, they'll stick everything they feel they can prove on there.

Even with some theoretical replacement for CFAA that is more fair I would think that at least the authorized access using a co-conspirator's credentials would end up being a chargeable offense, so the difference here is with the remaining accesses that were made. And even those are hard to claim would be "authorized" access with a straight face, as why would any company authorize access to their networks for the purpose of industrial espionage?

>Why is it OK to have a law against something as general as mail fraud, given that pretty much everyone has used the post at some time or another, but have no law at all regarding computer crimes?

I don't understand what your question has to do with what we were discussing. Who said we should "have no law at all regarding computer crimes"? There may be a need for specific regulation regarding some unique aspect of what computers do, or for carving out specific provisions in existing laws when some distinctive feature of computers changes the analysis, but that isn't what the CFAA is. We have laws against theft of trade secrets, what cause is there for them to work differently or have different penalties just because a computer is involved? And if there is such a cause, why must it be addressed with a law having such breadth and penalties as the CFAA rather than something more narrowly targeted at the actual evil?

>In fact even the CFAA is more narrowly-focused than the aforementioned mail fraud law.

The mail fraud law may be similarly problematic, though it at least is mitigated by the fact that it requires you to use the mail, which is becoming less and less common and even in its heyday was never involved in so much of the everyday activities of normal citizens as the internet is today.

>Prosecutors pile charges on, that's what they do. They only get one trial to sort everything out and entire swaths of their case can be thrown out in one fell swoop so yes, they'll stick everything they feel they can prove on there.

Which is kind of the point: They're willing to abuse whatever you give them, so we shouldn't be giving them anything so easy to abuse.

>Even with some theoretical replacement for CFAA that is more fair I would think that at least the authorized access using a co-conspirator's credentials would end up being a chargeable offense, so the difference here is with the remaining accesses that were made.

I think there is a case to be made that authenticating with someone else's credentials (and nothing more) does not need to be a federal offense. Imagine the same scenario (you log on to a friend's work computer using their credentials) but you do so for some totally innocuous purpose like reading The New Yorker online while your friend is finishing up some work. How do you suppose that behavior justifies a federal prosecution? That's the thing the law prohibits, not the actually malicious thing that may or may not follow it.

And all of this is ignoring the original point, which is that even if unauthorized access without any distinct malicious act is to be illegal, the existing penalties remain unjustifiable.

>And even those are hard to claim would be "authorized" access with a straight face, as why would any company authorize access to their networks for the purpose of industrial espionage?

I think you're just proving the point that "unauthorized access to a computer" is a preposterous basis for legislation. If the way you know that access is unauthorized is that breaking some other law implies unauthorized access, what good is the law against unauthorized access? Just attach the penalties you would have attached to unauthorized access to the actually malicious thing the doing of which implies that access was unauthorized and be done with it.