What, exactly, is the crime this polite intrusion is investigating? I’ve lost it in the weeds. Is she suspected of falsifying and altering information? In the midst of a public health emergency, that would be some serious shit.
If she suspected of altering the layout and font of publicly available information? Bold face insubordination? Is that a crime, somewhere, any where? Are there any clear and official statements on this? Was any crime actually committed? And when might we expect such charges to be brought?
Somebody, somewhere, misused some sort of emergency broadcast email system to send a message. I wouldn’t put it past DeSantis or someone on his staff to have staged the whole thing as an excuse to implicate Jones and seize her equipment.
I’m telling you, read the article by Snopes. It’s objective and informative and lacks the sensational bullshit you’ll see in the mainstream news articles. Here is what it says:
The affidavit stipulates that the search was warranted because probable cause existed that the person or persons operating from that IP address at that time had, through their actions, violated Chapter 815.06(2)(a) of the Florida statutes, which states that:
(2) A person commits an offense against users of computers, computer systems, computer networks, or electronic devices if he or she willfully, knowingly, and without authorization or exceeding authorization:
(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized or the manner of use exceeds authorization.
The penalty for that offense, which is a third-degree felony, is a prison sentence of up to five years, andor r a fine of up to $5,000.
Reflect for a moment how much mischief could be dignified by such wording. If one advances truth without official permission, to the discomfort and dismay of TPTB…I daresay someone has acted without “authorization”. The arcane details of legalistic justification is beyond me, a boor of little brain.
I agree with you that the official reaction was excessive, and could hardly reflect any other intent but to intimidate and silence. Bad enough in a normal time of craven and corrupt political skulduggery. But in a severe public health emergency, it stinks to high Heaven.
The alleged crime is that someone sent a message to a group of officials using a “password protected” part of the emergency alerts system. The message urged people to speak out.
I put password protected in scare quotes because all authorized users shared a single username and password for logging in, which was not changed when she was fired. She also says that a handful of other people had just been fired when it went out, and that a number of deaths that was quoted in it was inaccurate, which she would not do.
Given the password situation, how can the state ever prove that one of these recently fired people didn’t visit her and ask to borrow her computer for a minute? All they have is an IP address.
Think of it instead of being a computer system, it was a physical facility.
Imagine that she went back into her government building after hours because the lock had a key code shared by employees and they didn’t change it after she was fired. I think she is suspected of committing the electronic equivalent of that.
Obviously that would be a crime. How serious a crime is a matter of opinion (and a matter of the courts, of course).
I believe she is accused of sending an email to a mailing list. The mailing list is password protected, but every user has the same used ID and password, and they are (I am told) available on the internet if you google for it.
Yes… well, more like walking in in the middle of the workday, I thnk. And if you used the unchanged code to walk into the building and leave a note on the lunchroom fridge, or some other visible place, saying, “there are a lot of covid deaths, we all ought to speak out about it” it would not be a very serious crime. It’s only serious enough that someone was talked into writing a warrant to invade her house because our “hacking” laws are very badly written and overly harsh and broad.
Also, she denies she did it. And since anyone could have gotten the credentials to do it, I can’t see how they can prove she did it. Odds are she and several of her neighbors all share IP addresses from the local ISP, for instance.
The story that it’s not about the crime, but about intimidating her and anyone who might be helping her seems pretty credible.
By the way, this would be a great case for jury nullification. What she’s accused of doing, the moral equivalent of posting a note on the shared fridge, is a felony. Because the law is an extraordinarily bad law.
It would also be a nice poster child to get congress to change the law. But I’m kinda a pollyanna.
Is anyone else thinking what I’m thinking, which is that Florida agents raided the home of … a drama queen? I have no idea if she’s guilty of any cyber crime, large or small, but on the face of it, it appears that the Florida agents made a huge mess of the situation.
However, I can also believe that Rebekah Jones might be a bit of an attention seeker. This in no way justifies the behavior of the agents. Hell, I’ve watched the video she released and I would be utterly terrified and outraged if anyone, government-sanctioned or not, pointed a gun up the steps where I knew my family was located.
I do get the sense we may be missing some context (NOT justification). Believe me, I’m not victim-blaming here. Merely pointing out the possibility that, as much as we would like our heroes to be flawless creatures, unmistakably wronged without the slightest hint of nuance, the real world rarely delivers such perfection. Maybe she was a self-indulgent, argumentative, arrogant person who didn’t care if she gave her bosses a headache, and didn’t think the rules applied to her.
Look into the CFAA. It criminalizes accessing a computer without authorization or exceeding authorization. On the surface that doesn’t seem like a problem, but it ends up being the moral equivalent of a felony conviction for walking past a “no trespassing” sign to look through the window of a closed store.
It has been consistently used to convict people of felonies (usually charge and plea bargain) for doing things that caused no actual harm. Like any vague law, it has been used for things like punishing security researchers for discovering vulnerabilities, scraping data with the authorized user’s permission, or even scraping publicly available data (no login necessary).
Anyway, it is a very powerful tool that prosecutors can bring to bear against somebody regardless of the actual damage the person caused.
If it weren’t a crappy law, they wouldn’t have been able to get a search warrant (to execute with drawn guns!) based on what she is accused of doing. In any rational world, the correct response to “an unauthorized person sends an email to a mailing list” is to tell the person to stop doing it, and change the password. Not “send armed cops to wave guns in the general direction of her and her family, and steal all her computer equipment.”
Honestly, I have no problem with criminal prosecution against someone who makes unauthorized use of a computer system. I think that’s worth more than telling someone to knock it off, but I don’t think it should come anywhere close to a felony putting you in prison for more than 5 years, that seems insane to me.
For the severity of the crime in the law, it seems warranted (heh) to confiscate equipment for forensic evaluation (“stealing” is a ridiculous way to put it, you might as well say everyone who is arrested is being “kidnapped”) but (IMO) the law shouldn’t be that severe.
I was curious so I looked it up, and what she is suspected of would indeed be a crime in my own state of Washington.
However, it’s a “gross misdemeanor” which sounds far more sane than how Florida handles it.
You’ll also note that Washington does handle it differently based on what you are doing when you commit a “computer trespass”. If you are doing it to commit another crime (fraud, theft, whatever) it’s now a felony. If you maliciously do it to interrupt data service or a network, that’s a felony. That is a much better way to handle it. Florida’s law is really ham-fisted and didn’t seem to be given much thought.
Mrs. Jones hasn’t been arrested yet (to my knowledge), her property was confiscated as part of an investigation. The standard used to take private property for a criminal investigation is probable cause (a judge must sign off on a warrant), and there is no time limit where the state has to return your property. And the search itself - including its execution - is obviously supported by a warrant, which is in turn based on probable cause.
If Mrs. Jones was charged, the state would need to convince a jury beyond a reasonable doubt that she committed some crime. That does not necessarily mean the state has to prove that no other disgruntled employee committed the criminal act from within Mrs. Jones’s home. (It is impossible to prove a negative) Once the state proves that the message came from a specific machine in Mrs. Jones’s home, I would expect the burden to fall upon Mrs. Jones to argue that some other dude did it (SODDI). Just going up there and claiming, “maybe someone else was at my house and sent the message… but I can’t remember who has been to my house” isn’t going to convince a jury, IMO. The state will counterattack hard with motive and possibly records of her using said machine shortly before and after the alleged criminal act.
I never said they have to prove it if they never charge her. But if they did prosecute her, then yes, the burden is on the prosecution to eliminate the reasonable doubts. The defendant has no duty whatsoever to come forward with evidence of who she claims did it.
And in the context of a trial, the state has to prove negatives to a jury’s satisfaction all the time. It’s absolutely possible. If the system had a finite (small) number of users who knew the user name and password, the state could call each of them to testify that a) they did not send the message, and b) they did not give out the password. If the jury believed them all, then they would likely infer that Jones, the disgruntled Covid data cruncher sent the “speak out about Covid!” message.
But there might not be just a small number of people who have the username and password. It might be a very insecure system. Without anything tying it to her specifically, and not being able to rule out all others who could have access, then instead of it being a reasonable inference that she did it, it’s just speculation. The state has to prove that she did it. Not her husband, not a friend who also has the credentials. Her. I think they may not be able to prove that as a legal matter.
The CFAA is irrelevant. That’s not what she is suspected of violating. The feds aren’t going after her here.
She is suspected of sending a message using an emergency alert system which is secure (clearly not very secure but legally that doesn’t matter) and it’s going into that system that is the issue. If she did do that, she should have expected reprisal of some kind.