With the passage of the $1.9 trillion American Rescue Plan Act, we may be witnessing a turning point in the way this country thinks about poverty.

The plan will provide an unprecedented increase in the social safety net: a third round of direct payments to qualifying Americans — $1,400 per person and an additional $1,400 payment for each dependent — an extension of unemployment benefits, and an expansion of the child tax credit. Remarkably, the stimulus will provide this money without onerous work requirements or unnecessary spending limitations. It will simply put cash in the pockets of those who really need it. The passage of this bill reflects a profound ideological shift, and could help forge a path away from the American tradition of penalizing, and often criminalizing, poverty — a practice that disproportionately harms people of color.

Compare the 2021 stimulus with the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, commonly known as welfare reform. Welfare reform “created time limits and work requirements” and “abolished the entitlement to cash aid for poor families with children.” Welfare reform also set a floor for aid, effectively locking out the poorest of the poor among us. This was the culmination of a pervasive smear campaign directed largely against low-income Black women who were villainized as “welfare queens” bent on gaming the system.

As the law’s title suggests, welfare reform was based on the idea that poor people are to blame for their poverty. If you’re poor, it’s your fault. You’ve failed to take responsibility for bettering your life, and therefore you must be incentivized to seek out opportunities that you’ve otherwise chosen to squander.

Fast forward to 2021 and the stimulus: $1,400 for each qualifying person and another $1,400 for each dependent. No floor. No work requirements. No shaming.

Benefits like this reflect a philosophy entirely at odds with the welfare reform efforts of the 90s: Struggling financially isn’t a personal moral failing and people aren’t to blame for it. For now, the stimulus only authorizes these payments for one year, though some Democrats are pushing to make the the child tax credits permanent. Hopefully, this philosophical shift in how we perceive poverty has staying power, and will deepen as we see more examples of how these kinds of unconditional cash transfers succeed.

The American Rescue Plan Act rejects the idea that poverty is a moral failing or a choice rooted in laziness and anti-social tendencies. We must also reject this idea in the criminal legal system. We must end policies and practices that criminalize poverty. Criminal codes are full of offenses that punish or punish more severely because a person is financially insecure. We need to repeal them all.

As recently explained in an opinion piece by a former prosecutor and a public defender, “[a]rrests for low-level offenses make up the majority of the cases in the criminal legal system. Up to 13 million misdemeanor cases are filed every year, and reflect 80 percent of all arrests across the country.”

Several years ago — before George Floyd was arrested on suspicion of committing a misdemeanor and killed by Derek Chauvin — the ACLU and the ACLU of Minnesota examined low-level arrest data from the Minneapolis Police Department. Over 33 months, the department arrested people experiencing homelessness more than 6,000 times for low-level offenses. Eighty percent of these arrests were for consuming alcohol in public, open alcohol containers, outstanding warrants for low-level offenses, trespassing, loitering with intent to commit a narcotics offense, disorderly conduct, theft, drug paraphernalia, begging/panhandling, and public urination. In a city that is 19 percent Black, a whopping 58 percent of these low-level arrests were of Black people experiencing homelessness.

In Tennessee, I represented a client who was serving time for a theft he committed when he was homeless. He was later released on parole but had nowhere to go and fell back into homelessness, which eventually led to a trespass charge. This charge violated his terms of parole and now he’s back in prison.

In Washington D.C., three law professors at Georgetown recently called attention to the criminalization of poverty in misdemeanor court. They explain that about half of the misdemeanors prosecuted are nonviolent and are “crimes of poverty.” They tell stories of “clients [who] were prosecuted for such crimes as stealing a burrito from a 7-Eleven or a pair of warm gloves from Macy’s, or begging for a free cup of coffee at Starbucks and not leaving when told to.” And they point to data showing that an overwhelming number of these prosecutions “have long been of poor people.”

In addition to the immediate consequences of low-level convictions, the ACLU’s Racial Justice Program has documented that this type of contact with the criminal legal system can result in people being locked up without court hearings or legal representation when they could not pay fines and fees for traffic tickets or other civil infractions or criminal offenses. Indeed, modern-day debtors’ prisons result from state laws allowing or requiring the suspension of driver’s licenses for unpaid court fines or fees without first requiring confirmation that the person could actually pay.

Criminalizing poverty just leads to more poverty and disadvantage. As the Georgetown professors explain, “[t]hose in misdemeanor court face serious consequences even for petty crimes. A conviction can result in loss of housing, income, legal immigration status, and more.”

If lawmakers can evolve beyond blaming people for poverty in the context of financial assistance, they can also stop criminalizing people for poverty and compounding it by subjecting them to a biased and bloated criminal legal system. Enormous resources are devoted to criminalizing poverty. Instead, let’s invest those resources into preventing poverty.

In the spirit of this historic American Rescue Plan Act, lawmakers should begin dismantling and repealing the many laws that needlessly ensnare Americans in the criminal legal system and ensure they remain below the poverty line. Poverty isn’t a moral failing, and it shouldn’t be a crime.

We learned last week that a group of hackers gained access to cameras installed by a surveillance camera company, and said they were able to access live feeds from 150,000 cameras inside schools, hospitals, gyms, police stations, prisons, offices, and women’s health clinics. Some of the video footage — showing patients in their hospital rooms, for example — was extremely privacy-violating.

The company, Verkada, does not merely sell security cameras; it also provides a variety of surveillance services to its clients, including cloud storage of video footage and remote access to camera feeds on smartphones or other devices. Because the company streams video to a centralized source (its servers) to provide these services, the hackers were able to access not just a few cameras here and there, but a vast number of video feeds.

What does this breach tell us about the state of security today? While the story has many dimensions, it offers four principal reminders about surveillance, video, and internet-connected devices.

1. The dangers of connected cameras

When you hook up a camera to the internet, you are making it vulnerable. And you are making the privacy of anybody recorded by that camera vulnerable. We have previously warned people who are considering buying a doorbell camera or other internet-connected camera for their home — or other kinds of “Internet of Things” devices — that they are susceptible to hackers. In this case, the hackers reported that they were able to watch video showing such things as a man struggling with staffers inside a psychiatric hospital, a man being interrogated in a police station, patients in a hospital intensive care unit, and a family doing a puzzle inside their home. The hackers reported accessing not just live video but also videos customers had saved to the cloud — in other words, onto Verkada’s servers.

Digital security is difficult. The bottom line is that it’s simply easier to attack an online asset than to defend it. To protect it, your defenses have to be perfect, while an attacker only needs to find one way to succeed — one weak password, one unpatched vulnerability, or one gullible worker. Many companies, especially less established ones, don’t make cybersecurity a priority. That’s because good cybersecurity is expensive, and with the occasional exception of a few days’ bad headlines, the consequences of failure typically fall on others, rather than on the company.

2. Device vendors can be device snoopers

Internet-connected devices are vulnerable to three broad categories of privacy invasion: hackers, the government, and the companies that make the devices. We don’t know of any government intrusion here — though any collection of sensitive data is vulnerable to domestic or foreign governments through legal or other processes. But this breach is certainly a reminder of that third vulnerability.

The intruders gained access through a pre-existing Verkada “Super Admin” account that let employees watch video from any of the company’s cameras. The very existence of such an account is a scandal in itself. Bloomberg and IPVM reported that the use of these Super Admin accounts was widespread within Verkada, with more than 100 employees having access. One former executive told Bloomberg that such access extended to sales staff and “20-year-old interns.” It’s unclear how many (if any) of Verkada’s customers knew about this centralized access, though if any did, they weren’t notified when it was happening — and it’s pretty likely they didn’t expect it to be so casually used.

Unfortunately, such centralized access to surveillance feeds by vendors is hardly surprising. Ring, the Amazon-owned doorbell camera company, gave workers access to every Ring camera in the world together with customer details. Other companies offering similar services have also granted such access, including Google, Microsoft, Apple, and Facebook.

3. The inappropriate deployment of cameras

By providing a window into video surveillance systems across a wide range of institutions, the Verkada hack reveals how some of those institutions deploy cameras in inappropriate or unethical ways.

If I were lying in an ICU bed, I know I wouldn’t want a camera on me. And if there was a camera set up for observation by medical staff, I certainly wouldn’t want it sending data to the internet. Nor would I want an internet camera on me while I worked out at a gym or visited a clinic, or on my children at school. If there was a camera, I’d like to know it — and if it were connected to the internet or using face recognition I’d like to know that, too.

Videos viewed by Bloomberg showed that in one Alabama jail, cameras were hidden inside vents, thermostats, and defibrillators, and tracked both incarcerated individuals and correctional staff using face recognition. If that jail could do that, so presumably could any of the company’s clients who chose to do so.

Aside from Verkada’s failings, these institutions have failed the people who appeared on their cameras. Most of the subjects of this surveillance were not Verkada’s customers, had no relationship with Verkada, and probably were not even aware of the company’s existence. Even if Verkada had the best, most transparent contractual relationship with its customers, many of those subjects were still being surveilled in ways they shouldn’t have been.

4. The power of face recognition and video analytics

Among the services that Verkada offers are face recognition and other video analytics, including “people and car detection” as well as intelligent search functions that allow for “search and filter based on many different attributes, including gender traits, clothing color, and even a person’s face.”

We have written in detail about how video analytics can let computers not just store video but understand, analyze, and intelligently search it. That is making video a more powerful and intrusive surveillance mechanism. But it could also make video a more valuable asset for hackers. If face recognition or other characteristics are pre-computed, for example, the video archive could become more manageable to an attacker looking for a specific target.

In that respect, one finding was troubling: According to images viewed by Bloomberg, cameras in the offices of the company Cloudflare were using face recognition, but the company said that it has “never actively used it.” If the company is telling the truth, that would suggest that face recognition was being applied to a customer’s video by Verkada without that customer’s knowledge.

These four lessons should be taken to heart by policymakers, institutions, and individuals. The Verkada hack involved a veritable Russian nesting doll of victims: The hackers breached Verkada, which appears to have been intruding upon its customers by allowing free access to their video feeds. And those customers betrayed those who appeared on Verkada’s cameras not only by putting too much trust in the company in particular and in cloud services in general, but in many cases by collecting video that was inappropriate in the first place. Verkada touts centralized management of video as a must-have security feature, but this hack dramatizes the downsides of such centralization. Instead of providing security to its customers and the people captured by their cameras, that centralization provided invasion and insecurity.