Help: FBI criminally charged me with $6MM loss for hotlinking. I didn't do it
Throwaway for obvious reasons.
I’ll try to be as concise as possible. Some details have been changed to protect myself.
I used to operate a website that hotlinked to an asset from $company’s S3 bucket. When $company was made aware of my doing from the FBI, the FBI asked them to calculate the loss amount. They did this by looking at IPs that hit the bucket over a span of 1 month, and the IPs that logged into $company’s service. The number of IPs that they didn’t recognize (about 25,000), multiplied by some multiplier, came out to about $6MM.
The problem: I know how many people I had on my website that hit that asset. It was in the hundreds, not the thousands, definitely not tens of thousands. I know this because my site required a subscription and I know how many subscribers I had. There were (and still are!) hundreds of sites that hotlink to $company’s S3 bucket today, causing them loss, that are free and easily accessible. I can show this.
When I told my lawyer that this couldn’t possibly have been calculated correctly, he said that I’m pretty SOL in arguing this loss amount. He’s not technical so I don’t know if he really understands. Regardless, I’m in the process of discharging him because he’s failed me multiple times in this case so far.
This reeks of all sorts of wrong. $company is an organization known to probably 95% of HNers, they’re a technical organization, and they could not have possibly made the calculation in good faith.
If anyone has any advice, I’d appreciate it. I’ll be checking this thread closely, but I can also be reached by email at hotlinking@protonmail[.]com. First, I understand your technical arguments above (but IANAL.) Find a technical lawyer who understands that your logs and/or subscribers list sets a hard limit to the damage you might have caused. I'm a bit curious about why you're being charged at all if the S3 bucket was publicly available - there are easy ways for the company to secure their bucket if they choose (one example - https://www.msp360.com/resources/blog/how-to-prevent-hotlink...). You're headline states that you didn't do it but your descriptions admits you did, but maybe not all of it. You need to be completely honest with this. The journalist in Missouri who identified teachers SSNs on the state's web-site was in a similar situation and, while he's ultimately not going to be charged, his legal fees are hefty. My understanding is they admitted they did it but not to the extent of loss this company is claiming they did-- thus would legally make the case more severe with sentencing... IAAL, but am not providing legal advice here. If this is a criminal case (I assume it is, given the FBI's involvement), the presiding judge has pretty wide discretion to set the terms of the punishment for a conviction, subject to the specific penalties imposed by law and federal sentencing guidelines. Unlike in a civil case, monetary penalties are intended to be punitive, not restorative. The best your attorney can do is make the case as best as they can and plea bargain with the AUSA to get the penalty as low as possible; and failing that, beg the court for mercy, and be thankful if you manage not to go to prison. You can also plead innocence, go to trial, and hopefully avoid conviction altogether. (BTW, this post can be admitted into evidence if it comes to the AUSA's attention.) Why are you facing any liability whatsoever for linking to public resources? If the owner of that S3 bucket is facing losses from serving files to the public, why don't they revoke public access? S3 prints big warnings that you are making things public, so it's unreasonable for a company to claim "We didn't mean to make this public" What was in the bucket? In any case, sounds like you need a better lawyer, I don't see how HN can help you without you going public and telling the whole story. It seems everyday web is turning into ask permission before you do anything environment. Companies instead of hiring competent technical person, spend money on lawyers and lawsuits. It is scary for someone who grew up on 90s' Internet. Not sure what was in the bucket, but in 90s and 2000s, it was common to link to various resources on the web. My friend in college ran a popular forum where people shared direct links to video games, softwares, pdfs, etc. It, of course, facilitate piracy, but not everything linked there was illegal. I run a blog where I curate and embed YouTube videos. Yes I am using their official embed code. Using standard http protocol to link to a resource on the web is official way to link. If they were bypassing url signature or something similar, then I can see how they were violating terms and conditions of that bucket owner. It is no defense to burglary that the homeowner left their front door unlocked. This is a little different. This is akin to knocking on the door, asking if you can be let in, being invited in by the homeowner, and then having them give a tour around the house. It's entirely up to the owner of an S3 bucket as to who they serve their static assets to. If the policies are so lenient that anyone can request the resources, then that is a configuration error—not unauthorized access. You are falsely assuming that allowing public access and serving the requested object constitutes an intentional act of invitation by a bucket owner. If the alleged victim sought the FBI's assistance, it seems pretty clear that they did not intend to extend such an invitation, regardless of the bucket's configuration. Or, to extend the metaphor I made earlier, just because I left the door unlocked, it doesn't mean I meant to invite anyone in. And if they tricked my housekeeper to invite them in by falsely claiming I authorized them to come to pick up my broken laptop, they'd have no invitation defense, either. (Maybe they wouldn't be guilty of burglary, but certainly larceny.) Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today. Before making comparative arguments here, it's a good idea to think about whether a judge would laugh at you or not. :-) Please don't attempt to equate internet traffic to door locking. It's a tired old argument that fails the moment critical thought is applied. > Unauthorized access can occur whether the bucket is public or not. The law does not require that sufficient measures (or any measures, really) be taken to protect the assets in question. We can disagree as to whether it should, but that's not how it's written today. Citation needed. Probably more than one. Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course. The act if doing GET / wraps up finding a home, evaluating its entrances, knocking, opening the door, and taking photos of the entryway. In 50ms. I do agree with your last line. Definitely think about whether a judge would laugh at you or not... > Please don't attempt to equate internet traffic to door locking. It's a tired old argument that fails the moment critical thought is applied. It's a useful metaphor that gets people convicted. You might not like it or agree with it, but that's the way it is. > Web scraping is most certainly legal. Everything involved in the ridiculous "breaking and entering an unlocked residential door" is done a billion times a day by web scrapers as a matter of course Unfortunately you, like others, are ignoring the crucial element of consent. Web scraping is done lawfully only with the consent of the website scraped. When scraping is done non-consensually -- even if the website is public -- it can be considered trespass to chattels and might even constitute a CFAA violation. I know this because my company scraped eBay without their consent in the late 1990s/early 2000s and was shut down by a lawsuit. See, e.g., eBay v. Bidder's Edge, 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (not my specific employer at the time, but in the same business). Ignore robots.txt at your peril, and treat the absence of one as a lack of consent. That's what Google and other search engines do. I agree that the metaphor has some use, but I think most of these open access cases are more akin to trespassing in the woods at the far end of someone's large property or going through an unmarked door in a public building and finding oneself accidentally in a private space than breaking and entering into someone's home. That is, if there are no signs posted and you have not received notice that trespass is prohibited you should be given a healthy benefit of the doubt. It is obvious that homes are intended to be private, but not so for files being publicly served on the internet. This whole 'treat the absence of notice as a lack of consent' is a non-starter for me. No metaphor is a perfect fit for the situation. It's a didactic device, nothing more. Nevertheless, nobody's getting criminally prosecuted for accidentally fetching a file. Even someone who accidentally downloads child pornography once is unlikely to get in trouble for the mere act itself, provided they delete it as soon as they receive it. Acts that are getting people in trouble are intentionally downloading files they have no good reason to access, clearly aren't authorized by the owner, and the circumstances surrounding the activity indicate an illicit purpose. All the facts that indicate guilt are going to be argued by an AUSA to a court and possibly a jury; no judge is going to hang someone (metaphorically speaking) for a mere accident. C'mon, people. Use a little common sense. "It's a useful metaphor that gets people convicted. You might not like it or agree with it, but that's the way it is." It's a blatantly false metaphor. Burglary requires intent to commit a crime once inside. Indeed, and the crime is stealing (unlawfully copying) the data within. Admittedly it is an imperfect metaphor -- as all metaphors are -- but it is not "blatantly false." Data is not fair game for the copying just because it's in a place you can reach it with `curl` without having to pass an authorization check. That's not the law, and it's not common sense. Eh, you're not depriving a person of their property like in the physical world. It would be like trespassing and reading something. Again, a failed metaphor. What would really be common sense is for people to stop trying to fit bad physical metaphors on technology concepts. They don't work and they obscure the real points. Frankly, tons of stuff is illegal on the internet. You've likely committed felonies by violating a site's terms of service. That's how the DOJ applies the CFAA. It doesn't get enforced, just like that MO reporter didn't get arrested. Should they have been? It was unauthorized access which you claim is enough under law and common sense... It's my belief that intent alone is not sufficient. Actions speak louder than words. Who cares if you say "no one is allowed to access this" and then leave public access enabled to something? It's common sense that you didn't secure it and you have no expectation of privacy. Look at traditional cell calls and radio. You're putting your information in public and others can view it. DNA you leave on trash can be collected without a warrant - and with no intent/consent on your part! The law is a mess and full of contradictions. Even when the statutes are sound they become perverted by activist or impartial judges as well as law enforcement or prosecutorial discretion. Rule of law is a joke when individuals have the power to decide not to enforce it. Also, I believe there was some case law recently that stated that publically exposed or unsecured data can be accessed without it being a crime, but depended on the details. I don't remember the jurisdiction and I can't seem to find it now either. Oh well. Property rights are about control and exclusionary rights, not about physical things like land and widgets. This is a common misconception among the public and one of the first things they teach you in your first-year property law course. "This is a common misconception among the public and one of the first things they teach you in your first-year property law course." Typical lawyer response - I know more than you and I'll give you an answer that looks down on you without addressing the meat of the topic. "Property rights are about control and exclusionary rights, not about physical things like land and widgets." I haven't said otherwise. This reinforces my position that these terrible metaphors draw people off topic and do not translate to virtual property the same - the whole reason trespass and computer trespass are separate crimes with separate elements. In fact, I believe that most laws around computer resources have too much influence from traditional laws because the politicians and judges who wrote them relied too heavily on concepts from the physical world due to habit and a lack of understanding of the new concepts around technology and its possibilities. The real question is whether the laws are appropriate. It's an asymmetrical power dynamic that favors the stated intent of the owner over the stated intent of the user, even ignoring the actions of the owner when they're contrary to their stated intent. Computer trespass and unauthorized access is much more complicated and lacks the protective mechanisms that physical property laws have to protect non-owners. For example, consent and intent to let others use a computer resource is terribly vague. You don't need written permission to visit a website, there aren't clearly posted boundaries with signs stating this or that resource is off limits, etc. Even ToS tend to very poorly define boundaries within a system. Without clearly defined and posted boundaries as well as a lack of explicit grants or revocation of privileges in publicly accessible cyber spaces, we have created a system that favors the undefined undermining the underlying concepts of strict construction - that laws need to be defined strictly so that they can be applied equally and so that they are knowable to the subjects. In the case of cyber laws, relying on the stated intent of the owner which was not well defined anywhere nor communicated to the user as well as ignoring the intent preceived through the actions of the owner that contradict their stated intent. What we have is a system that will allow bad laws to stand because of unequal enforcement. Accessing publically available URLs and the data returned can either lead to charges from the FBI against an unknown person, or to widespread support for a reporter. Prosecutorial and law enforcement discretion means that we can use the laws only against undesirables and leave the majority of the population unaffected even if they met the elements of the offense. If it doesn't affect you, then why fix it... You’re thinking like a programmer, which is fine, but it’s not how lawyers think and operate. The law is not read literally in most cases — even in traditional property crime cases — and never has been. (“Breaking and entering” is a perfect example.) It can’t be, because English is an imperfect language, and situations in which the law is applied are frequently complex and novel. And I don’t think society wants an overly complex and literal legal system: not only will it be even more difficult to understand, but it will encourage even more attempts to evade it and leave a trail of innocent victims until we patch the law to fix the bug. (And if you think it can take software companies a long time to address vulnerabilities, the legislature can take an eternity). As I’ve said elsewhere, you’re not going to be punished for the mere act of accidentally downloading an open file. Courts look at the totality of the circumstances to determine whether a crime was committed, and the adversarial system makes it such that the prosecutor is going to have to prove beyond reasonable doubt that not only did the proscribed activity occurred, but that the defendant had scienter (required intent/state of mind) and that in a case like this, the circumstances suggested that the data was not intended to be public. And as a defendant you will have the equal opportunity to argue that you didn’t violate the law, or that it was a mere accident. But if you’re keeping a cache of these stolen files around or sharing them with others, then perhaps you’re not so innocent. There’s an old axiom that “a liberal is a conservative who’s been arrested; a conservative is a liberal who’s been mugged.” If you ever become a victim of a crime, you might appreciate these protections in a way you seem not to today. "But if you’re keeping a vault of these stolen files around or sharing them with others, that suggests perhaps you’re not innocent." Perhaps you don't understand the (stated) facts around this case. They didn't copy/steal the files, merely pointed others to the publicly available S3 bucket. Could there be more details that we don't know? Sure. But this is the situation being discussed here. "As I’ve said elsewhere, you’re not going to be punished for the mere act of accidentally downloading an open file." How so? Courts have held that you are bound to the ToS even if you didn't read it. That you accepting those ToS implicitly and then violating them is sufficient scienter to prove you knowingly exceeded your authorization (which again, typically defines boundaries poorly) and violated the CFAA (except for that one case law about accessing unsecured things that I can't find). "And if you ever become a victim of a crime, you might appreciate these protections in a way you seem not to today." Who says I haven't been a victim of a crime? I have. I still think that many cyber laws are not appropriate. Of course most victims will view the protections favorably - they value benefit to themselves more than benefit to society; they aren't impartial. Perhaps you will better understand my position if you've ever been screwed over by the system and had your clearly defined rights violated (even when a civil rights lawyer agrees that it was a violation but that the courts don't care). The system does not care about justice or doing what's right. You can't call it justice when it's estimated 2-10% of incarcerated individuals were wrongly convicted. The system cares only about itself and its privileged participants as evidenced by such travesties as the privacy of judicial complaints trumping ones right to exculpatory evidence. The basis they give for this privacy is that the public would lose trust in the system, which is only true if incompetence and misconduct was common and not appropriately dealt with. The judges ruling on these topics are not impartial and simply granting themselves additional privileges. "The law is not read literally in most cases" The law has to be sufficiently defined so that people can know it. Ambiguity is supposed to benefit the defendant under strict construction and reasonable explaination/doubt because the law is unknowable because it is not defined. There is also precedent stating that laws cannot be interpreted contrary to their language. Sure, interpretation can take place as to what the spirit of the law is, but it cannot violate the letter in doing so. Unfortunately we see this precedent violated in other rulings (I've seen it personally in applying non-scienter absolute liability to an offense that explicitly applies a reasonable standard of care). '“Breaking and entering” is a perfect example' How so? The title of the crime might not encompass the totality of its application, but the actual elements of the offense should be defined under the section and applied consistent to that definition. "... but it’s not how lawyers think and operate." Based on this and other parts of your conversation, it sounds like you may be involved in and benefiting from the system. It seems you may not be impartial and are likely exhibiting some bias to quell the cognitive dissonance of participating in a flawed system so that you can maintain the status quo that is beneficial to you. I think we are in violent agreement that the system is imperfect and that it could use some fixing, and that there have been some serious travesties of justice that we should all be ashamed of. (I’m personally of the opinion that a prosecutor who intentionally withholds potentially exculpatory evidence from a defendant should be fined, disbarred, and banned from running for or holding a public office ever again.) By all means, advocate those fixes, and make your case to your representatives who are in the best position to address your concerns. But we are pretty far afield from the basic question here, which is about keeping out of other people’s stuff without consent. If we can’t agree on the basic morality of that, and whether people should be punished when they intentionally don’t, then I guess there’s no place to go. (We don’t know the facts of this case. But even if the OP only discovered and communicated the locations of files, they could still be guilty of a crime if they conspired with someone else to actually use the referenced data without authorization. Conspiracy is a powerful tool in a prosecutor’s belt.) "which is about keeping out of other people’s stuff without consent. If we can’t agree on the basic morality of that" That's not what's being discussed. I think we agree that violation of one's private things/data or trespass is wrong. Where the contention lies is in what circumstances the person can expect to have that privacy and what the definitions are/should be to maximize societal benefit when it comes to internet usage. "and whether people should be punished when they intentionally don’t, then I guess there’s no place to go." Intentional access isn't even at issue here. "Knowing" access is all it takes under the law. I put knowing in quotes here because a prosecutor can prove that simply by your violation of the implicit agreement to ToS, even if you never read or knew them. So the issue isn't that people who knowingly or intentionally violate privacy/trespass need to be punished, it's in identifying when a violation has actually occurred, equally enforcing it, and whether the law is appropriately crafted to protect everyone and provide societal benefit. The way it is crafted now is not well defined, is not equally enforced, and can be used against people who have no ill intent or even knowledge that something was wrong. So not about punishing people who should be punished, but about the ability to punish those who shouldn't, as well as how to define them. So yeah, we can't agree on this topic, but your strawman argument of why is not the reason. > maximize societal benefit when it comes to internet usage. How would it maximize societal benefit to make it lawful to access and retain content that the owner didn't intend to make public? > Intentional access isn't even at issue here. "Knowing" access is all it takes under the law. I put knowing in quotes here because a prosecutor can prove that simply by your violation of the implicit agreement to ToS, even if you never read or knew them. I do not think this is correct, either under a plain reading of the text, or my experience. I'm looking at CFAA again (18 U.S.C. 1030 et seq.) and I don't see a bare knowledge requirement for any of the enumerated proscribed activities. Can you point to a specific one at issue? Besides, if you can show that a defendant had knowledge that the content was private and that they wouldn't have had been granted access had they asked the owner permission, yet the defendant proceeded to access the content anyway, how can one not conclude that proceeding further was intentional? At any rate, if you ever see a case where someone is successfully convicted for unauthorized access without proving an ill intent based on the circumstances of the case, by all means, I'd love to hear about it. But I haven't heard of any so far, and I don't expect to in the future. "How would it maximize societal benefit to make it lawful to access and retain content that the owner didn't intend to make public?" Because it would lead to companies implementing better cyber security policies and scanning, which reduces our county's susceptibility to foreign attacks, instead of spending money on lawyers just to sue people and spending tax money policing an issue that is the result of poor due diligence on the part of the company. This means that we would strengthen the incentive to prevent issues instead of relying on after the fact actions which may not even be feasible due to international actors. It also can also protect people from inadvertently violating the law and being prosecuted in a biased way if the boundaries of authorizations and public/private resources are more explicitly defined. This will also allow peace of mind for beneficial professionals like security researchers, journalists, and others in fields that currently find themselves at risk of significant legal fees even if they decide not to charge them. "Besides, if you can show that a defendant had knowledge that the content was private and that they wouldn't have had been granted access had they asked the owner permission, yet the defendant proceeded to access the content anyway, how can one not conclude that proceeding further was intentional?" How can you prove that, or is that a "reasonable person" (which is especially tricky when it comes to tech)? For example, do you always ask permission before posting or visiting links online? You have no way of knowing if someone is going to give permission or not in most cases. I assume you, like the vast majority of us, access publically available computer resources based on the implied consent that if it was made public, that it's authorized to use. The OP thinks he was allowed to link to public files. I'm inclined to agree. If you put something in public, you should expect the public to interact with it. That's common sense and consistent with concepts already in use in physical property law (viewing/recording private property from a public space). "At any rate, if you ever see a case where someone is successfully convicted for unauthorized access without proving an ill intent based on the circumstances of the case" Conviction isn't the only damage. It can cost thousands of dollars just for the legal representation if you are just investigated. The recent high profile MO reporter case is an example of this. The individual came forward with the information showing good faith and still they had to retain legal council to deal with the accusation. Security researchers have no ill intent and they are often the target of the CFAA. United States v Drew shows that it's a CFAA violation just if you create a fake account without knowing it's a ToS violation. "I'm looking at CFAA again (18 U.S.C. 1030 et seq.) and I don't see a bare knowledge requirement" You're right that the code required intent. But there have been rulings that just require knowingly accessing a system, and that ToS violations are enough to meet the criteria. Sandvig v Barr demonstrates that ToS violations can be CFAA violations (even though the specific research was found to be excluded). Van Buren v United States and United States v Drew further supports ToS violations being enforced, even if Drew didn't actually know it was a ToS violation. There are a lot of legal documents around this issue from the EFF and ACLU. They are especially concerned about the lack of definition around what constitutes authorization, a concern I share. First, I don't think a majority of Americans are in favor of changing the law such that if they don't protect their stuff, it's free for the taking. We've never had such a default rule and I can't foresee a sea change in attitudes that would have to take place before this happens. It's just not realistic. Legitimate security researchers get permission from their targets. The current laws don't seem to impede their work very much; there's a healthy market for red teams for hire. Journalists are in a class by themselves and are subject to First Amendment protections. Whistleblowing isn't at issue here anyway. > If you put something in public, you should expect the public to interact with it. That's common sense and consistent with concepts already in use in physical property law (viewing/recording private property from a public space) This is where the tangible/real-estate concept of property truly diverges from the concept as applied to cyberspace. When you are out in the real world, you always have to be in some location, and if someone's private property is visible from your perspective, there's nothing that can be done about that without a physical barrier of some sort. You can either cover the property, or cover everyone else when they're around it. Obviously it makes more sense to cover the property, from an economical and practical perspective. But when you're in cyberspace, you have to perform an overt act to access something. URLs don't fetch themselves. Consistent with that, and in the interest of encouraging people to publish and do business on the Internet, we have made a societal decision to make strong laws protecting against unauthorized access, even when resources are available without controls as strong as perhaps they ought to be. > Sandvig v Barr demonstrates that ToS violations can be CFAA violations ... Sandvig v. Barr held the opposite: "violating public websites’ terms of service ... does not constitute a CFAA violation under the “exceeds authorized access” provision." Van Buren v. U.S. was not about a ToS violation; it was about a police officer accessing and misusing confidential police records for non-law-enforcement purposes. U.S. v. Drew resulted in an acquittal on appeal: "The pivotal issue herein is whether basing a CFAA misdemeanor violation as 12 per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies." So as you can see, the law seems to be converging towards your own opinion that ToS violations alone are insufficient to constitute criminal activity under CFAA. “…treat the absence of one as a lack of consent. ” - do you have a source for this? Their documentation states otherwise https://developers.google.com/search/docs/advanced/robots/ro... You are correct; my mistake. Nevertheless S3 returns a 403 (unauthorized) response for robots.txt by default which causes Google not to index it. Most of the time trespassing (which is more akin to this than burglary) requires the owner to post obvious notice or ask the person to leave. I did not see that intentional act here either. So there's no intentional act by the owner either way. In the physical world, no crime would be committed. It seems this is further reinforced by the fact that AWS documentation repeatedly states that buckets can be accessed publicly or secured depending on the settings. Kind of like the government (in most states) saying people can walk through your property unless you take steps to prevent it. Yes, judges will laugh at a defendant bringing this up, but will eat up whatever comparisons a prosecutor makes. It’s probably not about the contents being public but more about paying the bandwidth costs. I'm kind of wondering what the legal precedent is for the FBI to investigate "hotli king" instead of just telling the devops person making the bucket private + CDN'd. I think this is highly unlikely. That would be grounds for a civil suit, but probably not a criminal prosecution. The criminal part would be using another’s credentials (the s3 keys) as your own. The situation being discussed is an open bucket, with no access credentials required. Obviously no traditional access credentials are required because otherwise it wouldn’t be usable to link to (by the owner). But as with the codes you use to embed Google Maps in a website, there could be part of the URL that can be considered to function as something like an access credential. Anyway I presume if the FBI ‘criminally charged’ the poster the charge included the criminal law they are accusing him of breaking. IANAL but it sounds like the fact that you offered a subscription service for access to $company's asset puts you in more trouble. you may have only gotten x dollars from your subscribers, but it's hard to dispute that you intended to extract y dollars in potential lifetime revenue from those 25k monthly visitors, especially if your revenue growth hasn't been trending negative. it's arguable those free sites didn't cause $company any loss, as those people may not have been interested in the asset had they had to pay for it, but if someone pays you instead of the owner of the IP... This sucks and shouldn’t be a crime. But the iron fist of Uncle Sam has struck and you’re screwed basically. Try to get a very good lawyer, I’d focus your efforts on that. As little as 10 years ago, the most common solution to hotlinking was swapping out the hotlinked images with something different/offensive to shoo away the hotlinker. Or various anti-hotlinking scripts. Or maybe even check request headers against your own domain at the server level. Now the solution is a 7 figure cry of foul enforced by the FBI? Was the offense more egregious and involved hotlinking of novel IP, leading to more aggressive enforcement? If you don't have money you spend a few evenings setting up referrer protection of some fashion and serve goatse to unauthorized clients. Problem self-solves over time. I was on the receiving end of this a few times, back when I was young and had no way of paying for my own legit image hosting. If you have money you may also have scale and a public image, so this solution is not so palatable. And since you have money and lawsuits are socially acceptable, you go that route. If sending security to your house with baseball bats were socially acceptable that would be the route utilized. This story doesn’t really make sense. What would you risk by truthfully telling us what company and what kind of assets you’re talking about? You shouldn’t be having this conversation with the FBI anyway, these details are figured out in courts. Most likely OP cannot afford the team of comprehensive legal advisors which would be necessary to achieve a truly fair outcome. I imagine OP has been dealing with this situation mostly silently for approximately a year by now. The "wheels of justice" turn slowly but generally inexorably. Once the FBI decides to bring charges, they almost always have already completely made up their mind and get exactly the outcome they want. OP's life has been and will continue to be thoroughly destroyed by the consequences of their poor judgement and there's likely no actions OP can take at this point to change the medium-term outcomes. Barring winning the lottery (in some form or another), OP would not be able to pay this debt if they lived to be 1,000 years old. And it's not dischargeable in bankruptcy. That's ignoring any potential jail time and consequences on OP's future employment options. So, quite frankly, at this point OP is probably posting here in a state of pseudo-panic, because there's very little chance this post would make it worse now that he's already been criminally charged -- again, 99+% of the time, the main outcomes are usually decided at the time of charging, not sentencing. Long-term, OP may be able to eventually build a life that they are happy with. But they will have many, many doors closed to them. On an absolute scale, it's possible that OP's actions directly caused a response that wasted many, many man-years of labor even if the data leaked wasn't itself important (technical and legal investigation, management conversations/energy/time that could have been spent on other things, security containment and mitigation, FBI investigators times, the courts time). Its probably not possible for OP to "pay back" the time and energy to all those people that they've affected. But on a relative scale, its likely that no individual or corporation was threatened with existential harm over this, while OP certainly is facing what feels like existential consequences. So that will be very very hard for them to deal with right now. If OP wants advice beyond “get a better lawyer”, it would be useful to know what they actually did or are accused of doing. As it stands his post doesn’t really provide any useful details beyond “I’m facing federal charges and am not happy with my lawyer”. > Instead of communicating a copy of the image, Google provides HTML instructions that direct a user’s browser to a website publisher’s computer that stores the full-size photographic image. https://en.m.wikipedia.org/wiki/Inline_linking It seems Google saved its butt with that explanation. Can you do the same? Mostly true, image search results are shown to the user using a base64 encoded thumbnail representation of the source. Focused view results in a request made to the source image inline with Google's site. They definitely store & process copies. Color search, subject search, none of that is possible without storage of some kind. Freshness searches require polling resources with modest frequency, too. Contact the Electronic Frontier Foundation. This is literally what they do. I don't know if they'll take up the case, but talk to them. Sadly the EFF is not usually in a position to serve as a technical witness in criminal cases. "he said that I’m pretty SOL in arguing this loss amount." That's how I see it. The government has obscene resources and power to prosecute you. Even if you win, you'll likely be screwed with the cost to defend. The law generally favors the victim and in many cases judges seem to accept any amount that can explained, even if it's not fair. Murica is pretty fucked up country if you can get sued for linking to a public resource on the web. America is a great country because we respect people's intent, even if they make inadvertent mistakes. Why will the FBI just randomly tell a company you linked to their site? There's more to this, but get a better lawyer, and the FBI won't be the one to calculate/charge you. Sorry, but your story doesn't add up. Aren't cases like this a rare exception and you're let away with a slap on the wrist by Amazon and they will look the other way? If you keep doing it, you will have to cough up the funds, so just learn from the lesson? You shouldn't be posting on here, you should be looking for another lawyer. Sounds like you have a good argument to lower the restitution you'd owe if convicted. Great. But a) ideally you're not convicted; b) somone has to take your argument and prove it in court You need a solid lawyer. That is it. This is not legal advice. IANAL. Please seek better legal representation. There's legislated protection for you and also already US case law as precedent. Links?