[HN Gopher] US Supreme Court Restricts Scope of Computer Fraud a... ___________________________________________________________________ US Supreme Court Restricts Scope of Computer Fraud and Abuse Act [pdf] Author : panarky Score : 271 points Date : 2021-06-03 15:25 UTC (7 hours ago) (HTM) web link (www.supremecourt.gov) (TXT) w3m dump (www.supremecourt.gov) | blakesterz wrote: | I guess this is the part that matters most? | | "We must decide whether Van Buren also violated the Computer | Fraud and Abuse Act of 1986 (CFAA), which makes it illegal "to | access a computer with authorization and to use such access to | obtain or alter information in the computer that the accesser is | not entitled so to obtain or alter." He did not. This provision | covers those who obtain information from particular areas in the | computer--such as files, folders, or databases--to which their | computer access does not extend. It does not cover those who, | like Van Buren, have improper motives for obtaining information | that is otherwise available to them" | | Thomas, Alito and Roberts dissented, and I hate to say it, but I | agree with them. | | "The question here is straightforward: Would an ordinary reader | of the English language understand Van Buren to have "exceed[ed] | authorized access" to the database when he used it under | circumstances that were expressly forbidden? In my view, the | answer is yes. The necessary precondition that permitted him to | obtain that data was absent." | | That's Thomas dissenting. | fooey wrote: | I very much feel their ruling is correct. The CFAA is intended | to target "hackers," not policy violations. | | Here's a quote from the ruling making the point that applying | the law to something like access policy is far too broad to be | viable | | > The Government's interpretation of the "exceeds authorized | access" clause would attach criminal penalties to a | breathtaking amount of commonplace computer activity. For | instance, employers commonly state that computers and | electronic devices can be used only for business purposes. On | the Government's reading, an employee who sends a personal | e-mail or reads the news using a work computer has violated the | CFAA. The Government speculates that other provisions might | limit its prosecutorial power, but its charging practice and | policy indicate otherwise. The Government's approach would also | inject arbitrariness into the assessment of criminal liability, | because whether conduct like Van Buren's violated the CFAA | would depend on how an employer phrased the policy violated | perihelions wrote: | _" The CFAA is intended to target "hackers," not policy | violations."_ | | However, they also explicitly write that they're _not_ | addressing that distinction (footnote 8 on page 13, to my | best ability to parse it). There 's some semantic gap between | "policy violations" and "improper motives". | | _" For present purposes, we need not address whether this | inquiry turns only on technological (or "code-based") | limitations on access, or instead also looks to limits | contained in contracts or policies. Cf. Brief for Orin Kerr | as Amicus Curiae 7 (urging adoption of code-based | approach)."_ | | I discovered this nuance from Orin Kerr's twitter (the same | one cited in this footnote); he says he's not confident he | understands this footnote. | | https://twitter.com/OrinKerr/status/1400461828807741455 | tialaramex wrote: | I don't know if it _can_ always be avoided, but I think it | makes sense for a court to _try_ to avoid the code-based | approach. | | It seems to be all downside (exploiting bugs will typically | be OK because the _code_ said this was OK, even if the | people who wrote it never intended that) with no upside | (the things rendered illegal already don 't work, because | code forbade them). | | Courts ought to be familiar with the fact that they're | present mostly to make decisions about fuzzy things like | "Did the accused intend to cause harm to the victim?" and | not simple mechanics like "Does being injected with cyanide | kill people?". | Natsu wrote: | I agree, I don't think it can always be code-only. If you | socially engineer someone into giving you an account, I | really think that should be fraud. | | I've thought about this for some years now and looked at | various different cases tried under the CFAA or otherwise | claimed to be unauthorized access. | | I personally believe it should turn on whether or not you | used deception as the means to gain access. That is, but | for your deception, would you have gained access? | | This, in my mind, proves they were up to no good ( _mens | rea_ ) and acts to make it clearer whether or not you | were authorized. It also connects to the idea that the | law is mean to counteract a type of _fraud_ in general. I | mean, how can anyone say they had authorized access if | they had to lie to gain access? | [deleted] | anonymousiam wrote: | I agree that the ruling is correct. The officer was granted | the accesses he had, and he was fully authorized to use them. | He violated a department policy by using his access | improperly. The government wants to turn policy violations | into a felony, and even set up a sting operation in this case | to get a felony conviction. The officer should be | disciplined/fired/etc. for violating department policy, but | the CFAA should not be used to turn him into a felon. | yarcob wrote: | The problem is that the officer is corrupt, and he should | be charged for taking a bribe. I don't think corruption is | "just a policy violation", but I don't know enough about US | law to know if taking bribes make you a felon or not (I | would hope so, but I assume it depends on circumstances). | | In any case, it shouldn't matter that he used a computer to | commit a crime. If he had gotten the relevant information | by reading them from a paper file or by asking a coworker | the crime should be the same, in my opinion. | Natsu wrote: | I think that what the officer did is likely illegal for | other reasons. So this ruling doesn't mean the officer | deserves no punishment, it just means they committed some | other crime than unauthorized access to a computer | system. | rPlayer6554 wrote: | But then he should be charged under the set of laws | pertaining to bribery or corruption. I don't think anyone | here disagrees with that. The question is should this | crime of corruption get a massive additional pentaly | specifically because it was committed on a computer. | | The supreme court says that this law has a purpose: to | catch people who gain unauthorized access to computers. | If laws are interpreted too broadly, they can be used to | overcharge people. The example given by the supreme court | is that if this law covers unauthorized use of a computer | you are authorized to have access to, then sending a | personal email on a work computer can be a felony. | pessimizer wrote: | I'm absolutely fine with him being charged with a felony, | as he is a corrupt government official, I just don't think | that felony should be hacking. | thayne wrote: | I would hope that there are stronger protections against | such abuses of authorization. What if a police officer (or | system administrator, etc.) sold information about a | potential victim to a criminal that resulted in physical or | financial harm to said victim? | the_pwner224 wrote: | That is / should be illegal on its own, the fact that the | information was obtained through a computer system | instead of a paper file doesn't change anything in your | example. | secothroa wrote: | >and he was fully authorized to use them | | This line is the crux, and the problem is that "authorized" | means subtle, yet critically important, different things to | different people. | | The officer was surely "authorized" in the sense that he | had technical authorization to log into the system and | accomplish the task. | | But in the sense that "authorization" is defined by more | than just technical controls, and also has to do with many | dynamic situations that technical controls can't often | restrict (or just aren't in place), it doesn't sound like | was "authorized". | | Think of walking into a restaurant and they have a sign | that says "Employees Only Behind Counter". Even if there | was no technical/physical control preventing you from going | behind the counter (eg there was no locked door or anything | like that), I think it would still be understood that you | as a customer do not have "authorization" to go back there. | | In my experience as a security consultant, my technically- | minded clients typically think of "authorization" as the | first way, defined by technical controls and thinking that | lack of technical controls in a system means they have | carte blanche to do whatever they want with that system. | But my experience with anyone outside of tech is that they | don't think of it that way at all, and that just because | you have the physical/technical ability to do something | does not make it okay to do that. | | "Authorization" is an overloaded term and the CFAA suffer | for it, but personally I do not think an average person | would think the officer was "authorized" to do what he did, | even if he did have the technical access to do it. | | The points about "average employees technically violating | the CFAA by doing stuff like reading the news on their work | laptop" are valid concerns and I think they need to be | resolved, but I think that is a completely different | concern than someone like this officer abusing their access | for legitimately bad acts. | zuminator wrote: | I like your restaurant analogy but I draw the opposite | conclusion. Imagine a restaurant which has a sign saying, | "You must be dressed appropriately to enter - no shoes, | no socks, no service." A family goes in to dine. About | halfway through their meal, the cops come and arrest the | father. Turns out, although nobody noticed at first, he | wasn't wearing socks, and was therefore trespassing | according to store policy. Is that fair though? It's one | thing to ask the family to leave, but should the father | be charged with an actual crime for unauthorized entry? | greycol wrote: | >Think of walking into a restaurant and they have a sign | that says "Employees Only Behind Counter". Even if there | was no technical/physical control preventing you from | going behind the counter (eg there was no locked door or | anything like that), I think it would still be understood | that you as a customer do not have "authorization" to go | back there. | | But if a customer was invited back there because they | said they wanted to thank the chef? They're told not to | touch anything, they touch something. Do we view that | touching something as breaking the same rule as someone | who just walks back there uninvited or is it another rule | they are breaking? | | I can definitely see arguments for both views. Especially | compelling to me based on the analogy is once you've | taken the first unauthorized by policy action no other | actions other than leaving would be authorized though | this interpretation would lead to its own absurdities. | Natsu wrote: | You're right about a lot of that, but there are huge | problems with making mere policy violations into federal | felonies. We want to stop people from hacking stuff, but | at the same time, we can't do that by giving every random | company the power to make things into federal felonies | via their own complex and often-ignored rules. | | I posted up thread too, but my own personal view is that | unauthorized access should hinge on whether the person | used deception to obtain access. That provides a clear | separation between lawful and unlawful conduct without | giving private parties the power to define new felonies. | | With computers, I don't think that the proverbial | "employees only" sign on a load of private data means | anything and the incentive should be on the business to | provide a proper access control there. Meanwhile, if they | add a guard who asks "are you an employee?" and you lie | to them to get access, I would say you're unauthorized. | | That gives us some semblance of _mens rea_ while not | going to far in any direction, I believe. | bryanrasmussen wrote: | >I very much feel their ruling is correct. The CFAA is | intended to target "hackers," not policy violations. | | ok, but devil's advocate for a second - much hacking is | actually just lying to people to get access to things you | shouldn't have access to - so pretty much closer to policy | violations than the stuff most people associate with | 'hacking' | colechristensen wrote: | But let's say you called someone on the phone and lied to | them to gain access to a computer system, you committed | wire fraud doing so. It's just a different crime because | the thing you did wrong involves lying on the phone. | anonymousiam wrote: | If you obtain access using somebody else's credentials | through fraud, _YOU_ are not authorized. Thus you are | violating the CFAA. | ClumsyPilot wrote: | Obtaining access through fraud is fraud. Why do you need | to morph one crime into another? | | Think Breaking and Entering requires breakin. If someone | gave you keys under false pretences, thats a different | crime. | jdmichal wrote: | I believe this would still be covered by the _first_ | clause, the one not even being argued in this decision. | | > Subsection (a)(2) specifies two distinct ways of | obtaining information unlawfully--first, when an individual | "accesses a computer without authorization," SS1030(a)(2), | and second, when an individual "exceeds authorized access" | by accessing a computer "with authorization" and then | obtaining information he is "not entitled so to obtain," | SSSS1030(a)(2), (e)(6). | | I fraudulently obtain and use credentials to a system which | authorize another person to access it. I am still | "accessing a computer without authorization", because those | credentials never authorized _me_. | | This starts to get _really_ fuzzy if I fraudulently have | credentials explicitly granted to me... | zozbot234 wrote: | That's fraud and it's always been illegal. | secothroa wrote: | CFAA stands for "Computer _Fraud_ and Abuse Act ". The | entire purpose of the law is that is addresses that type | of fraud. | buu700 wrote: | My initial reaction was to agree with you, but based on my | reading of the law I actually have to support the majority | opinion: https://www.law.cornell.edu/uscode/text/18/1030#e_6 | | _(6) the term "exceeds authorized access" means to access a | computer with authorization and to use such access to obtain or | alter information in the computer that the accesser is not | entitled so to obtain or alter;_ | | The language here is relatively narrow. Nathan did "access a | computer with authorization", and he didn't obtain information | that he was "not entitled so to obtain or alter". | | He may have obtained it for a _purpose_ that was expressly | forbidden by the department policy, but he was permitted to | obtain the information in and of itself. To qualify as being | "under circumstances that were expressly forbidden", I think it | would have to be a situation wherein he wasn't allowed to | obtain the information in general, e.g. if he were only allowed | to access it within certain hours or with a superior present. | | It's like the difference between giving someone your phone | (which, for the sake of argument, qualifies as a "protected | computer" in this scenario) and telling them that they can go | through your photos so long as they don't take out their own | phone and photograph any of them, and telling them that they | can only open your photos while you're watching. | | It would be extremely rude in either case to secretly take your | phone and exfiltrate your photos -- and may even still be a | crime in and of itself (and/or lead to follow-on crimes) -- but | I wouldn't consider the former to violate this particular law. | cletus wrote: | A policy change by your employer shouldn't lead to the | possibility of a criminal prosecution for "hacking" and that's | the net result of what you're suggesting and what that | interpretation would mean. | | To me this is the definition of overreach. | generalizations wrote: | It sounds similar to the problem of someone with access to a | file cabinet, where they aren't allowed to use some of the | files in the cabinet, but are allowed to access other files in | the same cabinet. | AnimalMuppet wrote: | And if do access the files that they aren't allowed to, we | don't charge them with safecracking. They did _something_ , | but safecracking doesn't fit. | badRNG wrote: | Similar to if someone does something they aren't supposed | to in a business, they aren't immediately charged with | breaking and entering or trespass. | duxup wrote: | Plain English to me seems like the person in question had | authorized access. | | His actions maybe should be criminal in some way (time to write | a law maybe), but his access was authorized. | fossuser wrote: | > "This provision covers those who obtain information from | particular areas in the computer--such as files, folders, or | databases--to which their computer access does not extend. It | does not cover those who, like Van Buren, have improper motives | for obtaining information that is otherwise available to them" | | I think this would have acquitted Aaron Swartz (though he | likely would have been acquitted anyway since they didn't even | allege improper motive iirc). | | In his case he accessed journals that were available to him via | MIT's open network. There is the second issue of his | trespassing in a closet to leave a laptop on the network, but | that would have been minor when compared to the string of | felonies they charged him with which was tied to the CFAA. | | This seems like a good restriction to me at first glance. | vmception wrote: | Do you think people will be able to acknowledge that | predisposition to suicide is what killed him and not the | gravity of the DA obsession to convict him? The US doesn't | have the most people in prison because long sentences caused | everyone to kill themselves first, its because people do the | time. | | I just see so much focus on needing to identify a catalyst | (which doesn't affect most people) instead of the pre- | existing mental health issue of the person. I think this | hampers the necessary conversations to be had on suicide. | 0003 wrote: | Look up the eggshell doctrine. From wikipedia: The rule | states that, in a tort case, the unexpected frailty of the | injured person is not a valid defense to the seriousness of | any injury caused to them. | vmception wrote: | this wasn't a tort case, it was a criminal case | | even if the family sued the state civilly there would be | nothing for the state to defend against | thebooktocome wrote: | I don't see the need to assign a single cause to a given | event, to the exclusion of all others. Most events that | occur have multiple causes, with varying degrees of | importance. | vmception wrote: | people are misattributing the most important one, then: | | planning and following through with the action | incompatible with maintaining a consciousness on this | plane of existence. | [deleted] | fossuser wrote: | > "Do you think people will be able to acknowledge that | predisposition to suicide is what killed him and not the | gravity of the DA obsession to convict him?" | | This is itself presumptive and I think largely wrong. Like | most things it's a combination of factors. No doubt Aaron | was struggling with depression, but facing federal prison | with a trial defense costing $1.5M (even if acquitted in | the end) is enough pressure to break even an otherwise | healthy person. | | I don't understand the need for people to frame this as you | are. | | I suspect Aaron would be alive today if the prosecution had | shown some discretion. In this specific case, it would also | have been the right/just thing as well as the legally | correct thing. | vmception wrote: | > I don't understand the need for people to frame this as | you are. | | Then perhaps the bigger issue, to me, is that this level | of analysis is not given to other people, where it should | be as well. | fossuser wrote: | On that we agree - if there's one thing in short supply | on the internet, it's nuance. | appleflaxen wrote: | Would that make you a criminal if you mistyped your URL, and | ended up looking at someone else's document? | | It seems like it would to me, and I don't like that | interpretation. | | If you want me to keep out, then keep me out. Don't make | something available to me and then accuse me of a felony when I | see it. | nullc wrote: | Civil and criminal law are distinct for a reason. In criminal | law the consequences for your wrongs are much more dire-- you | face the power of the state against you and you can be denied | your freedom. | | Triggering the CFAA on policy violations creates a general tool | to convert civil matters into not just a crime, but a | relatively serious one! It essentially lets system operators | write private law with criminal enforcement without the | oversight of the public. | | To give a silly example: Your landlord prohibits you from | painting your walls. Their payments website has some terms of | US that makes it a CFAA violation to use their site with | painted walls. Suddenly what otherwise might be a lawsuit over | the $500 cost to repaint is a state funded attack where you | face ten years in prison. | | It's clearly wrong to use the CFAA that way in the silly | example, but it's no less wrong in less silly cases. Saying the | CFAA can't be used to create private criminal law doesn't mean | that policy violations can't be prosecuted-- but it means they | should be prosecuted under other laws (with intentionally | matched terms and penalties) or as civil matters. | lumost wrote: | This is the outcome of a legislative branch which can no longer | legislate effectively. The courts have to "interpret" the laws | into a sensible form of common law which minimizes the | difference between the legislation, and practical governance | concerns. | | Interpreting the law in such a way as to make _private_ policy | makers the arbiters of _felony_ charges is not compatible with | our society. This would be the equivalent of a restaurant | letting you in, asking you to take a seat, and then charging | you with a felony for choosing the wrong seat as listed on a | tiny sign in the back of the restaurant. | austincheney wrote: | _Exceeded authorized access_ commonly refers to privilege | escalation, which means access to a resource beyond his /her | level of granted permission, whether by modification of | technical controls, social engineering, or physical access. | That is not what happened here. The access to the resource | occurred exactly in accordance with the access controls and | authority granted, but the motivation and intention were in | clear ethical violation. | | Judge Barret said exactly this in her opinion. | [deleted] | lmkg wrote: | The heart of this is the difference between legal authorization | vs technical authorization. Legally, it is (or rather, used to | be) OK to say "you have have access to data X for purpose Y." | While the technical controls could not enforce restrictions on | the purpose, it was understood that purpose limitation was | valid. There was an understanding that technical controls are | only an _approximation_ of policy, and it 's the policy that | has legal weight when determining what access is authorized. | | Hopefully this particular case also runs afoul of other laws. | Like something about granting access to unauthorized | individuals, which is what the defendant was doing (selling | government data). That can, and perhaps should be, separately | illegal from accessing data for improper purposes. | phkahler wrote: | >> The heart of this is the difference between legal | authorization vs technical authorization. | | We must not confuse legal authorization (felony for | violation) with private or contractual agreements. | | Any law that allows private entities to define what actions | constitute a felony is bad, and hopefully unconstitutional. | | Technical access measures are somewhat like physical locks. | Terms of use are more similar to contracts. IANAL so my | analogies my be crap. | ClumsyPilot wrote: | This is a very good point and what people often confuse. | | There is a crime of breaking and entering - and thats well | defined. | | Then there are permissions of: "you can be in my house as | long as you dont use the bathrolm and only wear pink socks" | - if a person were to wear green socks, you can icik them | out, but it does not suddenly become a home invasion | kayodelycaon wrote: | The argument against the dissent is CFAA defines the terms | used. Ordinary reader rule does not apply in that circumstance | and nor should it. | burkaman wrote: | The court's hypothetical is useful: | | > For instance, employers commonly state that computers and | electronic devices can be used only for business purposes. On | the Government's reading, an employee who sends a personal | e-mail or reads the news using a work computer has violated the | CFAA. | | Accessing data for a forbidden reason should be a fireable | offense, but not criminal. So if Thomas is right, it's a very | bad law. | | I'm not sure I agree with him though. I think if you asked an | average person, they might say something like "yes I am | authorized to access that database, because I have credentials, | but I'm not supposed to without a good reason". I don't think | there is a single plain English reading of this phrase that any | large group of people would agree on. | ncallaway wrote: | I don't agree. | | I think the other judges have the better reading of the | specific language of the text. Thomas, Alito, and Roberts don't | even take their dissent on the interpretation offered by the | Government, but have to craft their own--extremely broad-- | interpretation of "entitled". | | Since I think the opinion (at least, the little bit of it that | I've skimmed) makes a fairly compelling case around the | majority's interpretation of the words "so" and "entitled" I | won't rehash that here. But, if we back up to the purpose and | intent of the legislation, I think this outcome also better | aligns with that. | | The CFAA was designed to curtain the unauthorized use of | computers. To make it illegal for people to deliberately | circumventing the security measures built into computers to | obtain information or cause other harm. If I hand you a | computer, tell you the password, and ask you to login to my | computer and respond to an email for me, but then ask you not | to look in the `Taxes` folder on the desktop _should_ it be a | felony for you to open the `Taxes` folder? That conceptually | feels wrong to me. I have violated your trust, sure, but I | haven 't committed fraud, and I haven't abused any access | control mechanisms on the computer. | | Or another scenario: your work gives you a work computer, and | has a paragraph in the employee handbook that says you are | never allowed to visit news.ycombinator.com on the work | computer. At some point while working at the company, you visit | news.ycombinator.com on the work computer. Have you just | committed a felony? You've "exceeded the authorized access", if | you interpret "entitled" and "authorized" as broadly as Thomas, | Alito, and Roberts seem to. Should that really be a felony? | | That interpretation leads to such a massive broadening of | felony criminal liability. It doesn't gut-check for me. That, | combined with what I perceive as the better textual reading of | the phrases "so" and "entitled", I have to disagree with you. I | think the other 6 justices had the better argument at multiple | levels. | merpnderp wrote: | I initially agreed with Justice Thomas's viewpoint but you | really make it clear that he is wrong. | WillPostForFood wrote: | _That interpretation leads to such a massive broadening of | felony criminal liability. It doesn 't gut-check for me_ | | I agree with you, it totally fails the gut check, but it is | because the law is poorly written. The Supreme Court bailed | out the lawmakers by winging it here. The minority opinion is | the worse, but more accurate plain reading of the law. | zozbot234 wrote: | The alternative would be declaring the act void for | vagueness. A statute that "forbids or requires something in | terms so vague that men of common intelligence must | necessarily guess at its meaning and differ as to its | application" violates the constitutional provision of due | process. So the SCOTUS ruling makes sense in terms of | choosing the least disruptive option wrt. general | expectations. | Natsu wrote: | Not really. I would just read the word "fraud" in the | very title of the act and decide that means that whether | or not the access was unauthorized depends on whether you | lied to gain access. | | I won't claim that test is perfect, but it's a lot | clearer than the current standards and when I go through | past cases, I don't see it coming to any indefensible | conclusions. | | Yes, that would agree with the majority holding in this | case. It's important to note that even if they didn't | violate the CFAA, they likely broke plenty of other laws | and can be punished for that. | | So this conduct absolutely deserves to be punished, just | not under the CFAA. | ncallaway wrote: | Well, that ignores the part where I agree with the textual | reading and interpretation of the majority. | | I think the majority opinion is also the more accurate | plain reading of the law. So, from my perspective, no | bailing out is necessary. The gut check and the plain | reading both seem to align. | WillPostForFood wrote: | _intentionally accesses a computer without authorization | or exceeds authorized access_ | | Did he exceed authorized access? He did, and therefore he | broke the plain reading of the law. The law should be | better, and separate violating access controls from | violation of access policy, but it doesn't. | unyttigfjelltol wrote: | Judges interpret ambiguous laws narrowly to avoid criminal | liability, as you say.[1] Three justices dissented though, I | take it, because in their view the words weren't ambiguous, | even if leniency would have been the better public policy. | | [1] https://en.m.wikipedia.org/wiki/Rule_of_lenity | mywittyname wrote: | > but then ask you not to look in the `Taxes` folder on the | desktop should it be a felony for you to open the `Taxes` | folder? That conceptually feels wrong to me. I have violated | your trust, sure, but I haven't committed fraud | | You accessed privileged information that you were explicitly | not allowed. To me, asking you not to look at certain | information is effectively the same as putting a password on | it, then having you break it. In both cases, the intent of | the owner is clear: do not access these files. And in both | cases, the actions of the perpetrator very clearly disregard | the owners intent. | | Your example about accessing a website is not the same. It's | pretty clear that the person going to new.ycombinator.com is | not stealing or accessing privileged information. There have | been separate rulings dealing with whether or not employees | can use corporate equipment for personal reasons. | | A more analogous example to the case at hand would be an | employee at Google/Humana/Tinder selling your private details | to a third party. This ruling means that such activity is | perfectly legal, even if the terms of their employment state | the opposite. | | Unless, of course, the only reason the court ruled in favor | of this person was that they are a police officer. But I | guess we have to wait until the FBI attempts to press charges | against someone at Google selling personal details to third | parties to find out. | andrewjl wrote: | > A more analogous example to the case at hand would be an | employee at Google/Humana/Tinder selling your private | details to a third party. | | That's not a realistic example because something like that | would be covered by an NDA or alternatively, if in EU or | California, by data policies. | nokcha wrote: | >There have been separate rulings dealing with whether or | not employees can use corporate equipment for personal | reasons. | | Such rulings are about different laws. The government's | interpretation would criminalize violating a protected | computer's terms-of-service regardless of whether it is | part of a corporate intranet or an ordinary website on the | Internet. And yes, the government has pursued criminals | charges for violating a website's ToS; see _United States | v. Drew_ , 259 F.R.D. 449 (C.D. Cal. 2009). | | >A more analogous example to the case at hand would be an | employee at Google/Humana/Tinder selling your private | details to a third party. This ruling means that such | activity is perfectly legal, even if the terms of their | employment state the opposite. | | As to Humana, it would likely be a criminal HIPAA | violation. | johnnyapol wrote: | > A more analogous example to the case at hand would be an | employee at Google/Humana/Tinder selling your private | details to a third party. This ruling means that such | activity is perfectly legal, even if the terms of their | employment state the opposite. | | No, this isn't what this means at all. This ruling just | means you haven't committed a crime under the Computer | Fraud and Abuse Act by accessing that data if you didn't | "hack" to get access to it. Depending on the information | you sold, you could've violated other laws and you | definitely violated the Non-Disclosure agreement you signed | with those companies. | | For reference, the cop in this case had other convictions | under wire fraud laws that weren't changed by this. | ncallaway wrote: | > To me, asking you not to look at certain information is | effectively the same as putting a password on it, then | having you break it. | | To me, they are not effectively the same at all. I see | there being two different types of "authorization" at play. | One is a mechanical authorization built into the computer | systems (a password, for example). The other is a policy | authorization, built into how I convey to you what is | "allowed" on the system. They seem fundamentally different | to me. | | To 6 justices on the Supreme Court, they are not | effectively the same thing either. To 3 justices, they are. | The ambiguity of English is definitely annoying when we get | into the nitty-gritty of laws! | | > A more analogous example to the case at hand would be an | employee at Google/Humana/Tinder selling your private | details to a third party. This ruling means that such | activity is perfectly legal, even if the terms of their | employment state the opposite. | | That's simply not what this ruling holds. That would be an | accurate summary of this ruling if and only if the CFAA | were the only law that exists in the United States Code! | | "Legal" is also an ambiguous word in this context. Such an | activity may break other laws, or it may not. I'm not | familiar with what other criminal liability may attach to | such behavior. But that activity almost certainly would be | a civil violation. I would potentially be able to sue | Google/Humana/Tinder (though there's a chance their privacy | policy already gives them the option to sell my | information). And Google/Humana/Tinder could certainly sue | the rogue employee for damages caused by such a sale. | | If Google/Humana/Tinder wanted to go further to protect | themselves from bad-acting employees, they could use actual | access controls (instead of mere policy) to restrict the | ability for employees to access such data and only give | access to employees who need such access. While it's | certainly not the thing a Supreme Court ruling should hinge | on, it's a nice added bonus that this gives a further | incentive for companies to implement _actual_ least access | control rather than just making it a policy. | jdmichal wrote: | > If Google/Humana/Tinder wanted to go further to protect | themselves from bad-acting employees, they could use | actual access controls (instead of mere policy) to | restrict the ability for employees to access such data | and only give access to employees who need such access. | | I'm pretty sure the exact fact that Amazon did _not_ | appropriate restrict access in this way is one of the | points being considered in the antitrust case. | Specifically, that people who shouldn 't have been able | to, and who shouldn't have by policy, still could access | seller data. | wlesieutre wrote: | For the requisite car analogy: one is like a mechanic taking | your car for a joyride after you give them the key, the other | is a stranger taking it for a joyride after breaking in and | stealing it out of your driveway. | | One of them is misusing a car that you gave them access to, | the other one is stealing it. | pessimizer wrote: | That's because you're assuming the stranger doesn't return | the car. If your mechanic takes your car for a joyride | after you give them the key for purposes of repairing your | car, and a stranger steals my car when I'm not using it and | brings it back before I notice it's missing, I don't | understand why one is any different or worse than the | other. | NovemberWhiskey wrote: | In my jurisdiction, a mechanic who takes a car for a | joyride is committing a class A misdemeanor (unauthorized | use of a vehicle in the third degree) | | ref. https://codes.findlaw.com/ny/penal-law/pen- | sect-165-05.html | | In other jurisdictions (like, say, New Hampshire), that | same case falls into the definition of theft. | | http://www.gencourt.state.nh.us/rsa/html/LXII/637/637-9.htm | [deleted] | nostrademons wrote: | There's an important distinction between levels of government and | civil vs. criminal penalties here. From section a.4 of the | holding: | | "The relevant question, however, is not whether Van Buren | exceeded his authorized access but whether he exceeded his | authorized access as the CFAA defines that phrase." | | The CFAA is a federal statute that governs unauthorized access to | computer systems. When granting authorized access to computer | systems, other organizations (whether states or police | departments or private companies) are free to set their own | policies, and they can enforce those policies with the mechanisms | they have available to them, like terminating the offending | officer or revoking his computer access (at which point further | access _would_ be a CFAA violation). But _can they then use the | language of the CFAA to criminalize violations of their own | authorization policies_? This holding says no - the CFAA covers | the initial access to the computer system, and then violation of | more granular access policy is a civil matter between the | individual parties. | | This is consistent with several other recent court positions. | There was a recent case to criminalize ToU violations [1]; the | court ruled that this is an overbroad reading of the CFAA and ToU | violations were civil matters between parties. When Anthony | Levandowski used Google's network to download self-driving car | plans and sell them to Uber [2], he was prosecuted under "theft | of trade secret" laws, not under the CFAA. It's also analogous to | perpetual free speech battles, where the court has repeatedly | ruled that private parties are free to restrict speech on their | own property, and that the 1st amendment applies only to the | _government_. In general liberal democracies seek to apply | restrictions as narrowly as possible and have private parties | work out contracts and consequences amongst themselves, only | stepping in when there is no way to enforce such agreements | without an outside power. | | [1] https://arstechnica.com/tech-policy/2020/03/court- | violating-... | | [2] https://www.justice.gov/usao-ndca/pr/former-uber- | executive-s... | dsr_ wrote: | This seems to me to be the correct decision. Van Buren should | have been charged with: | | GA 332: Abuse of official power GA 333: Exceeding official powers | GA 338: Bribe-taking | | and, Federally, 18USC 201, which prohibits public officials from | taking bribes. | a1369209993 wrote: | There should be some snooping/violation-of-privacy charges as | well, but otherwise that sounds about right. CFAA is not | relevant here. | a1369209993 wrote: | > CFAA is not relevant here. | | Er, CFAA is not relevant to the criminal case againt Van | Buren, I mean. | Natsu wrote: | I'd imagine they were, by the time things get to the Supreme | Court, they're dealing with very narrow issues of law and not | the entire case. | cletus wrote: | I'm surprised at the negativity here. I agree with this decision. | | When I saw it was a 6-3 decision my first instinct was "oh | another conservative-liberal divide" but no it isn't. I'm | actually surprised to find Thomas dissenting since he's just. a | stickler for the literal text. | | To me the ruling seems correct: the offender may have exceeded | department rules and such access by that measure was | "unauthorized" but he was not an unauthorized user to the system. | | It's refreshing to see limits to the overreach on what | constitutes "hacking". This isn't hacking. | | Were this ruling in effect when Aaron Swartz was charged, I very | much suspect it would've invalidated the hacking charges under | the CFAA (since he used a guest account he had access to). | tomschlick wrote: | > I'm surprised at the negativity here. | | If this were not a ruling in favor of a police officer, I feel | that you would see a much more positive response. The past few | years of political craziness have warped peoples' minds where | they can't recognize a good thing anymore. | J5892 wrote: | Agreed. | | My initial reaction to the headline I read was anger that an | officer got away with abusing his power. But upon learning the | details, it's clear that a CFAA violation is an inappropriate | charge here. | r0m4n0 wrote: | Yep, I think this was a small win for the opponents of CFAA but | this is a total show of force of the supreme court. This law is | famously broad and to interpret it in its literal sense would | mean the mass majority of the nation would be federal criminals | (they point out some of the scenarios in the article). | | Instead of law makers fixing the problem, the supreme court is | effectively reading between the lines. Luckily IMHO they are | doing the right thing here and will put this particular | employer based scenario to rest. | | Now to clarify on the countless other holes in the CFAA... | duxup wrote: | Agreed. | | This is a policy violation, and maybe that should be illegal in | some way or have consequences. I'd be ok with that, but it's | just not "exceed authorized access". The person in this case | was authorized. | | The idea that you could be authorized, but suddenly not because | of a policy doesn't make sense to me and that's kinda weird | because that seems right up Thomas's literal interpretation | alley (come on Thomas, use it right for once). | | Imagine Comcast changes a policy, and suddenly you're in | violation of Computer Fraud and Abuse Act (CFAA). | secothroa wrote: | Policies, by definition, are ways by which authorization | rules are enforced. If the officer violated a policy, they | also by definition violated their authorizations. | | >The idea that you could be authorized, but suddenly not | | They were never authorized to use this system in this way, so | there was not a "authorized but then suddenly not". The | officer's authorization was static: not authorized. | | Authorization is more than just the technical controls in a | system, and lack of a technical control to prevent an officer | using a system in certain ways does not mean said officer is | authorized to use the system in any way they please. | badRNG wrote: | I think we are confusing two concepts here. | | The officer's _actions_ were unauthorized on a system he | was provided access to. He didn 't gain unauthorized access | to a system, he failed to follow the rules on a system he | already had access to. | a1369209993 wrote: | > The officer's actions were unauthorized on a system he | was provided access to. | | Er, no, that's specifically not the case. The officer's | actions _on the system_ in fact _were_ authorized; he was | authorized to look up licence plate information. The | officer 's actions _later_ - specifically sharing private | information with a third party - were criminal[0], and | would be criminal regardless of whether a computer was | even involved. | | 0: Give or take legislative and judicial corruption a al | misrepresenting theft as 'civil forfeiture', but that's | not really the point. | treis wrote: | Authorization isn't just yes or no though. It's | conditional on intent. | | Say I give a neighborhood kid a key to come water my | plants while I'm out of town. If they use that key to | gain access and throw a party they're trespassing. I | don't see why it should be different for a CPU | JumpCrisscross wrote: | > _Authorization isn 't just yes or no though_ | | For purposes of this law, it is. The Government agreed | "that Van Buren 'access[ed] a computer with authorization | HK' when he used his patrol-car computer and valid | credentials to log into the law enforcement database" | [1]. | | "The dispute is whether Van Buren was 'entitled so to | obtain' the record." The Court found that Van Buren _was_ | entitled so to obtain the record, in that entitlement is | the operative word. If the file is electronically | accessible to the user, they have entitlement to so, | *i.e. electronically, obtain it. They aren't properly | authorised or permitted or something else to it. But | those weren't the words used. "Authorized," unadorned, | and "entitled so to." | | [1] https://www.supreme | court.gov/opinions/20pdf/19-783_k53l.pdf | treis wrote: | I know, but it doesn't make sense. It's like arguing the | kid was entitled to throw a party because he had my key. | JumpCrisscross wrote: | > _like arguing the kid was entitled to throw a party | because he had my key_ | | Did he steal your key? Or did you give it to him? If he | stole your key, he wasn't entitled to your house. But if | you gave him the key, he had entitlement to it. | | If this were a friend, not a kid, you _might_ be able to | sue her for throwing a party in your house without | permission. You would not be able to get her charged with | breaking and entering because she overstepped the | conditions that came with your key. | treis wrote: | B&E requires intent to commit a felony in my state. If we | change the story to the kid using the key to rob me then | yes he will get convicted of B&E (burglary in my state). | Dylan16807 wrote: | So if they come in with full intent to water the plants | and walk off with your things, and do so, they'll be | charged with "breaking and entering"? That really | _shouldn 't_ be a valid charge. It should be pure | larceny. | treis wrote: | In that case no because they didn't enter with the intent | to commit a felony. | Dylan16807 wrote: | You may not have caught the first-minute edit I made. Or | I worded it badly. | | Presume they had intent to water _and_ steal at a felony | level when they entered. | treis wrote: | Then that's a crime. The innocent motivation doesn't wash | away the guilty one. | Dylan16807 wrote: | If they walked through an already-open door with the | intent to steal, entering wouldn't be burglary, at least | not under the rules I'm used to. | | If they had to break open the door, entering would be | burglary. | | Using a key they were supposed to have, to enter a | building they were supposed to be able to enter? I would | say it _should_ be treated like the former case, not the | latter case. | | US law may not always agree with me, and apparently there | are states where shoplifting can count as burglary. But I | say stretching the definition that far is ridiculous. | secothroa wrote: | It isn't just about access to the system, but access to | the data as well, and he accessed data that he was not | authorized to access. That is "exceeding authorized | access". | | - Logging onto the system: officer has technical access | to log on and is authorized to log on, no problem | | - Accessing normal data the officer needs for legitimate | reason: officer has technical access to this data and is | authorized to access it, no problem | | - Accessing data for the purpose of a bribe: officer has | technical access to this data, but is not authorized to | access it, thus they are exceeding their authorized | access | kstrauser wrote: | His crime was violating the policy. He clearly did not | hack into the computer system to get the data, and that's | what the CFAA was meant to prosecute. | | Put another way, he didn't work around any computer | controls to get at the information. | secothroa wrote: | >Put another way, he didn't work around any computer | controls to get at the information. | | That's irrelevant. You can do unauthorized things without | having to "work around" controls. | | >He clearly did not hack into the computer system to get | the data, and that's what the CFAA was meant to | prosecute. | | The CFAA was meant to prevent computer-related crimes | including but not limited to unauthorized access, fraud, | abuse, etc, which this clearly was. | chipsa wrote: | CFAA now is about violating technical controls, not | policy controls. If policy says "Don't look at HR data", | but nothing technically stops you from looking, it's not | a CFAA violation to look. | [deleted] | hackinthebochs wrote: | >You can do unauthorized things without having to "work | around" controls. | | The term "unauthorized" is overloaded. There is one sense | in which he was unauthorized by policy. There is another | sense by which he was authorized by technical access. | These are separate scenarios and separate violations. It | makes no sense for unauthorized-by-policy to be a | violation of a computer hacking statute. | kstrauser wrote: | > That's irrelevant. You can do unauthorized things | without having to "work around" controls. | | SCOTUS disagrees with you, and so do I. | | > The CFAA was meant to prevent computer-related crimes | including but not limited to unauthorized access, fraud, | abuse, etc, which this clearly was. | | He didn't do any of those with respect to the computer | system. He accessed a resource that he had authorization | to access as part of his job. He misused it, but didn't | break into the system or gain access by fraud. His | reasons for accessing the data were wrong, but his access | was authorized. | secothroa wrote: | >His reasons for accessing the data were wrong | | This, by definition, makes his access unauthorized. | That's the point. "Authorization" is more than just | technical controls. He was _not authorized_ to access the | data for this reason. | badRNG wrote: | > This is a policy violation, and maybe that should be | illegal in some way or have consequences. | | Sure, and usually policy violations that matter do involve | civil consequences (e.g. litigation to recover damages) but | not handing out felonies or putting someone in prison for a | decade+. | duxup wrote: | I could see a law that has stricter terms for sensitive | data, and civil servants with access to it. I'd be ok with | that. Maybe even felonies depending on what occurred and | whatever the law is. | | It's just the law in this case doesn't fit what happened. | [deleted] | stefan_ wrote: | This person sold access to restricted data and abused his | privileged position as civil servant to do so. Maybe it's | not CFAA, but I'm sure it should be a felony of some sort. | nullc wrote: | Absolutely, and it probably already is. CFAA is just such | an absurdly overbroad law with rather harsh penalties | that it gets charged even when there are other more | reasonable alternatives. | xbar wrote: | Yes, as the Court noted in its opinion regarding the | Government's charging practices. | JumpCrisscross wrote: | > _it 's not CFAA, but I'm sure it should be a felony of | some sort_ | | The Opinion says he "was charged with and convicted of | honest-services wire fraud," though that it was vacated | in a separate holding [1]. | | [1] https://www.supremecourt.gov/opinions/20pdf/19-783_k5 | 3l.pdf | belorn wrote: | If he directly shared or transfer the police database | information to someone else then it looks very odd that | the government went after him for hacking. Sharing of | classified information is a more serious crime, and | hindering a police investigation is also a crime. | caymanjim wrote: | Police data is not classified. | belorn wrote: | It isn't? I would think that information such as of | people with hidden identity or informants was not public | information but rather something for which the government | has deemed sensitive enough to protect. Am I wrong? | | In my country any information related to a on-going | investigation is automatically classified. Police are not | allowed under the law to divulge to the press any such | information. | caymanjim wrote: | In the US, barring other qualifiers, "classified" is a | federal designation for national security data. Police | are not federal. I could get more pedantic about it; | there are designations like "Unclassified/Law Enforcement | Sensitive" for data that can be shared with police. The | police are allowed to keep various information | internally. I'm not sure that license plate ownership | information is protected at all, though, for this | specific case. | akiselev wrote: | (big IANAL) Criminal penalties for revealing information | would be a major affront to the First amendment since | they're the most direct way for the government to | restrict speech. The Federal classification system only | works because the individuals given security clearance | enter into a special contractual agreement with the | Federal government - only someone who has made that | agreement can face criminal penalties for revealing | classified information. A random pedestrian who's never | even been allowed near classified information but | stumbled onto it can't be prosecuted (at least, not once | it gets to a sane appeals court). | | That's to say: it'd be up to each state to create its own | criminal laws regarding what they consider confidential | information (if any) and make sure those laws are | constitutional by explicitly writing them into the police | officers' contracts. Much of the time, changing internal | policy is all that states can realistically do because | some federal statute or constitutional clause has | supremacy - even something that's normally a fireable | offense at a private business might run afoul of | constitutional protections when done by a state | government or agency. | threatofrain wrote: | Out of curiosity, how would such a contract work? | Normally the violation of a contract just means a tort | and not criminal penalty. Surely you cannot simply say | something like, "I agree that exercising my | constitutional rights is now a federal offense." | kelnos wrote: | My (possibly flawed) understanding is that "classified | information" in the US is pretty much a federal | government thing, and is usually used for information | relating to national security or spy-agency type stuff. | | I would imagine information about informants or people | with hidden identities would be considered privileged | information in whatever state/local law enforcement | jurisdiction created it, but penalties for leaking or | distributing it would be a local matter, and many | localities might not have specific laws on their books to | deal with it. | | Regarding on-going investigations, police aren't supposed | to publicly discuss information about investigations, but | they may if they deem that there is a public interest in | doing so, or that doing so will help them with their | case. I may very well be wrong here, but my gut suggests | that in most places in the US there are likely not | specific laws against public disclosure of details of | ongoing investigations. | nostrademons wrote: | He should be charged with the laws against that, then, | rather than the CFAA. This other poster mentioned some: | | https://news.ycombinator.com/item?id=27385624 | kstrauser wrote: | Exactly. If he were charged with "bribery, and also | public urination" for this, while I wouldn't be happy | about what he did, it definitely wouldn't be public | urination. | xbar wrote: | Well argued, counselor. | throwsadlfksjdf wrote: | I find both your and GP's swipes against Justice Thomas to be | perplexing. Literal interpretation of the Constitution's | meaning at the time it was written is exactly what you should | want, not whatever that single judge feels should be or | should have been the meaning. I don't see how that's a bad | trait. | jrochkind1 wrote: | I wonder if the negative commenters are unaware of the history | of CFAA prosecution abuse, and are coming at this for the first | time only through this case. | | This is very, very good news. | | https://www.eff.org/deeplinks/2020/01/eff-asks-supreme-court... | | https://www.eff.org/deeplinks/2021/06/supreme-court-overturn... | pdonis wrote: | I don't find either side's arguments particularly compelling in | this case; they all look like legalistic sophistry to me more | than anything else. I think the fundamental problem is that the | CFAA is bad law, which means that there will be reasonable | arguments on both sides any time it comes up in a court case. | What should really happen is that the law should be changed. | jdmichal wrote: | > What should really happen is that the law should be | changed. | | And the way to make _that_ happen is by limiting the scope of | the law as much as possible, in order to force law makers to | rewrite it. Which is what has happened here. If law makers | _did_ intend the rejected interpretation, then they should | rewrite it to clarify such. | pdonis wrote: | _> the way to make that happen is by limiting the scope of | the law as much as possible, in order to force law makers | to rewrite it._ | | I doubt that will actually happen, though. Our system | basically assumes that laws will be written to be vague and | ambiguous, and that courts will clarify the interpretation | over time. I don't think this is a very good way to run | things, but it seems to be the way we've settled on. | jdmichal wrote: | Maybe. But it's a pretty strong component of the | interaction between legislature and judiciary. Ambiguity | should be resolved to make fewer things criminal. And | then the legislature can disambiguate if they deem it | important enough business to do so. | | https://en.wikipedia.org/wiki/Rule_of_lenity | ggggtez wrote: | It's almost as if textualism is just an excuse, and not | actually a coherent legal view... | | I have mixed feelings on the ruling. It sounds to me like a | crime did occur. But the CFAA is _also_ overly vague... Without | reading the details of the case and the statue, it 's hard for | me to be sure what to think here. | | I guess looking forward, this will force police departments and | others to be more explicit in their access policies, which it | sounds like here there just wasn't any? | | I guess that's a win? | Natsu wrote: | I agree with this decision, but I've always advocated my own | personal test for whether access is 'unauthorized' or not. | | Basically, I would say that unauthorized access should require | some material deception to gain access. So if you socially | engineer your way in, it's unauthorized--you lied to someone. | If you use a computer virus, it's unauthorized--you lied to the | computer to get it to execute that code, probably | misrepresenting it as some other type of data. If they set the | permissions wrong or it's just an AUP thing, it's not | unauthorized access. Though, as here, it might be against the | law for some other reason (violation of privacy or whatever). | | This would avoid catching people out because someone set | permissions to give too much access or wrote overbroad AUPs | that shouldn't be turned into federal felonies, while providing | a nice bright line because you can actually test whether, if | not for the deception, they'd have been granted access to the | system, especially the computer side of that. So the people who | used anonymous FTP with a fake email won't become felons | because it's easy to prove the system lets in everyone no | matter what their email is set to, whereas the person using | someone else's credentials lied to the system about who they | are and should get punished, etc. | | I think that my test would be consistent with this holding, but | remember that this is merely my view of how the law should be. | It's not a description of how the law is, it's something I | would advocate that I believe provides a reasonable boundary | between authorized an unauthorized access that's both clear and | testable. | repiret wrote: | I think the problem with the deception test is that if the | login screen for the DMV database access had a checkbox that | said "I am only using the system in a way consistent with | department policies" or something, then you could argue that | checking that box was deceitful. | | I think Congress' intent with CCFA was to criminalize | hacking. There are already laws against fraud, so we don't | need a deceitfulness test to catch, say, social engineering. | The problem I think is that CCFA was written in 1986 and not | enough people understood what hacking was well enough to | write it down clearly in the law, so instead the "excess of | authorized access" language is in the law, and has been used | to criminalize lots of things that aren't really hacking and | Congress didn't intend to criminalize with the CCFA. | pessimizer wrote: | What if I, as your employer, say "you're not authorized to | look at records that haven't been assigned to you" and you | then look at a record that hasn't been assigned to you - is | that unauthorized access? | | edit: I certainly don't agree that the distinction between | access to a file in a file cabinet and a record on a computer | should be significant. I think it's a dumb law. But the | unauthorized access test is straightforward. If I work at a | company that disallows internet browsing other than for work | purposes and I visit my facebook page, I think that's a clear | case of hacking under the "authorized access" test, and my | only real defense would be that I needed to check facebook | for work. | secothroa wrote: | >is that unauthorized access? | | Yes. And SCOTUS's problem is that they think the punishment | for visiting facebook at work shouldn't be the same as the | punishment for stealing company records - and that's fine, | and of course something I agree with. But SCOTUS should | actually address _that_ directly, rather than going down | this weird path of trying to warp the definition of | "authorized". | shuntress wrote: | That is "hacking" the same way opening an unlocked filing | cabinet you were told never to look in is "lockpicking". | Natsu wrote: | I'd say that should only be fraud if you lied to get | access, I don't agree with interpretations that allow any | random AUP to create new felonies. | | Don't get me wrong, I understand how that can be | straightforwardly interpreted as "unauthorized access." I'm | advocating for what the law _should_ be, in my view. The | idea is to make a bright line that gives a test for _mens | rea_ to avoid over-criminalization while not being too | unreasonable. I 'm sure there could be scenarios I haven't | thought of that would turn out poorly. | bitcurious wrote: | >Basically, I would say that unauthorized access should | require some material deception to gain access. So if you | socially engineer your way in, it's unauthorized--you lied to | someone. If you use a computer virus, it's unauthorized--you | lied to the computer to get it to execute that code, probably | misrepresenting it as some other type of data. If they set | the permissions wrong or it's just an AUP thing, it's not | unauthorized access. Though, as here, it might be against the | law for some other reason (violation of privacy or whatever). | | Interesting test. What if you set your user agent to chrome | instead of firefox and that grants you access to a website? | aidenn0 wrote: | That would arguably be wire-fraud (you lied over an | electronic network in order to get some material gain). | Natsu wrote: | Yeah, cases like this are a bit harder. Part of the idea is | how important the lie is to gaining access. It is difficult | to distinguish a relatively harmless lie like this, or | claiming to have actually read the 1,000,000 page AUP, to | someone impersonating another. | a1369209993 wrote: | > What if you set your user agent to chrome instead of | firefox and that grants you access to a website? | | The website is at fault. This is no different than lying | about your religion to bypass a discriminatory shop owner. | agency wrote: | I would not say "no different." Religion is a protected | class[1], web browser preference is not. The law does not | treat all kinds of discrimination equivalently. | | [1] https://en.m.wikipedia.org/wiki/Protected_group | haswell wrote: | But where do you draw the line re: which type of "lie" | matters? | | A naive generalization might say that "lying" by setting | a header = illegal. But clearly there is a difference | between setting the Authorization header and setting the | User-Agent header. | | But what about headers that are not so well-defined? What | about custom headers? | | I'm not disagreeing with you, but these are the first | questions that come to mind. | | It seems that a judge would have to carefully consider | the design of the system, and whether the vector that | granted access was something that was clearly negligent | on the part of the site owner, or was truly an attack | vector and deemed illegal. But it seems difficult to | formulate a universal test for this. | kenjackson wrote: | > Basically, I would say that unauthorized access should | require some material deception to gain access. | | This seems like a poor definition, IMO. | | For example, what if I tell you I'm going to club you over | the head and get access to the computer you're on. And I do | so. There was no material deception. I did exactly what I | said. | | Another example is what if I just walk around the counter | while you're not there. There is no one around to deceive. | mananaysiempre wrote: | > For example, what if I tell you I'm going to club you | over the head and get access to the computer you're on. | [...] There is no material deception. | | Then there's no hacking and you should be charged with | assault or whatever else is appropriate. | | > Another example is what if I just walk around the counter | while you're not there. | | Then it doesn't matter if there was an unlocked computer or | an unlocked cabinet behind that counter. | | There doesn't need to be, for every illegal act X, an extra | special law or punishment for "X but a computer was | involved". | | People want a criminal penalty for hacking and maybe | they're right, but you shouldn't try to cover every | undesirable act that involves a computer with a single law | any more than every undesirable act that involves a piece | of paper is covered with one. You also shouldn't claim that | breaking down a door is the same as walking through an open | one, even when both constitute (among other things) | trespassing. | takeda wrote: | But then that would be considered hacking only if you used | an axe. | dane-pgp wrote: | Presumably the argument is that you are "deceiving" the | computer into thinking that you are the person whose head | you clubbed, or who walked away from the counter. | kenjackson wrote: | Only if the computer had some type of technical | authorization associated with it. | Natsu wrote: | > For example, what if I tell you I'm going to club you | over the head and get access to the computer you're on | | That's either a true threat, or assault and battery. It | only becomes computer fraud if you fraudulently use my | credentials to access the computer. | | > Another example is what if I just walk around the counter | while you're not there. There is no one around to deceive. | | That's trespass, not computer fraud. | | There's more than one crime on the books. Saying that | something isn't computer fraud isn't claiming that all | those things should be legal. | | Like in this case, I think it should be bribery more than | computer fraud. | kenjackson wrote: | > That's trespass, not computer fraud. | | Why is that trespassing? There's no sign that says I | can't go behind the counter? In fact, in many cases you | can go behind the counter, just you aren't expected to | jump on their computer. The problem isn't that I'm behind | the counter. The problem is that I'm using a computer I'm | not authorized to use -- it's just whoever set up the | computer didn't set up an authorization gateway. | | But really access to the computer really isn't fraud. | It's what you do once your at the computer that matters | much more. Its authorization for the action that matter, | not access authorization. | mananaysiempre wrote: | There's actually an argument to be had around how illegal | this should be. | | Let's take computers out of the picture again. Suppose I | know that an organization O throws out folders with | sensitive data D into the trash can in their publicly- | accessible lobby every Friday at 3 pm. People that want | to know D pay me to come there at 2:55, root through the | can and write down the pieces that they need. | | Should what I am doing be illegal? Whatever your answer, | is it in any way different from walking around that same | lobby sniffing O's open Wi-Fi network except for | "computers were involved"? | telotortium wrote: | I wonder how the market for compliance and authorization tools | and services will react to this ruling. I would guess they will | have a lot of increased business - even though employers can | always fire an employee that violates policy, it will probably | strengthen their case to ensure that the employee is also | breaking the law, especially in unionized workplaces or other | places where formal policies around termination are especially | important. | elliekelly wrote: | What a silly and cynical comment. Most employers (the _vast | majority_ even!) aren't looking to set their employees up to | become criminals when they fail to follow company policy. | Usually the goal of a policy is to have a fail-safe: where even | if the policy is violated the law isn't. | viztor wrote: | I don't think the agent's action is proper, but it had nothing to | do with computer fraud per se, nor is it the legislation | intention. | | Suppose someone was granted access to evidence room, but had a | look at the evidence that is not of his case, or a case file that | he have access to for reasons not work-related. And those | generally falls in the area of internal regulation, in which case | the agency takes the legal blame for the agent, and should it | take actions against the agent, it might be supported. | | Plain simply, even if those records are physical the referred | agent could have done the same thing. Logically, it's not a | matter of abusive conduct through computer, it's a matter of | abusing public power. | chmod600 wrote: | Questions: | | * Should there be a distinction between violating a written | policy; and bypassing a technical barrier? | | * Should there be a distinction between doing something that you | are ordinarily permitted to do, but for an unpermitted purpose; | and doing something that you are just never permitted to do? | | It seems that the Court didn't answer the first question, which | is more interesting to me. | duxup wrote: | If someone has access to data, but uses it inappropriately. That | doesn't sound like something that should be covered by "exceed | authorized access". | | If someone is using that information inappropriately, maybe that | should be a against the law, but not the Computer Fraud and Abuse | Act. | Animats wrote: | This is an important decision, in that it means that violations | of terms of service are not criminal offenses. | supergirl wrote: | did the court clarify what "authorized" means? seems that the | opinion hinges on that definition. | | does it mean just knowing the right user name and password? what | if the login page also had a check box "I agree to use this | system only to perform my job". if the cop lies and checks this | box, does it mean he's not authorized? | | if lying about the check box is OK, what if he had used a | colleague's user name and password for the criminal activity? | he's still authorized just he didn't use his own password to | commit the crime. would that still not make it CFAA? | WCSTombs wrote: | Here's EFF's take, which IMO is correct: | https://www.eff.org/deeplinks/2021/06/supreme-court-overturn... | jmspring wrote: | I wonder if the raid in 1990 on Steve Jackson Games fell under | this particular act. | | http://www.sjgames.com/SS/ | ncallaway wrote: | Almost certainly not. My understanding of the SJ Games raid was | that the Secret Service was issued a search warrant by a court | prior to the raid. | | 18 U.S. Code SS 1030 (f) explicitly excepts lawfully authorized | investigative activity of a law enforcement agency. The Secret | Service is such a law enforcement agency, the raid was an | investigatory activity, and since they obtained a search | warrant prior to the raid it was a "lawfully authorized" | search. | | As such, even if there _might_ be liability based on their | actions under the other portions of the section (I have no idea | on this aspect, I 'm not too familiar with the details of what | they did as part of the search and seizure), the waiver in (f) | is extremely broad and would apply to the Secret Service in | that particular case. | | > (f) This section does not prohibit any lawfully authorized | investigative, protective, or intelligence activity of a law | enforcement agency of the United States, a State, or a | political subdivision of a State, or of an intelligence agency | of the United States. | | https://www.law.cornell.edu/uscode/text/18/1030 | jmspring wrote: | Thanks! | aftbit wrote: | I wonder if this precedent would have had any impact on weev's | case. https://en.wikipedia.org/wiki/Weev#AT&T_data_breach | Miner49er wrote: | I was wondering the same thing, and I don't think it would. I | am not a lawyer, and I guess we can't know why the jury voted | guilty, but I think the arguments were that weev didn't have | authorization. They argued that there was several "gates" weev | had to go through to access AT&T's data. | | 1) User agent. He changed the user agent to that of an iPad. | | 2) The ID themselves. He only had to increment them to get to a | new one, but they argued these were like a password. | | 3) Going to a URL that wasn't linked from somewhere. I'm not | kidding. | | https://www.techdirt.com/articles/20130929/15371724695/dojs-... | | So I think in weev's case, they argued he never had | authorization at all. | | Whereas, in Van Buren's case, "The parties agree that Van Buren | "access[ed] a computer with authorization". So the problem was | whether or not he exceeded authorization, not if he had it in | the first place. | smsm42 wrote: | SCOTUSblog analysis: https://www.scotusblog.com/2021/06/diverse- | six-justice-major... | donatj wrote: | https://en.wikipedia.org/wiki/Van_Buren_v._United_States | | > The FBI set up a sting operation and instructed Albo to offer | Van Buren US$6,000, but in exchange, to request Van Buren look up | a license plate on the Georgia Crime Information Center (GCIC) he | had authorized access to, as to see if its registered owner, a | stripper, was an undercover officer | | What ever happened to entrapment being... you know... against the | law? | | Like I'm aware these sorts of stings happen all the time. What I | don't understand is why it's generally found to be OK. | smsm42 wrote: | The police routinely catches drug dealers by selling them or | buying from them drugs. This is no different. Entrapment would | only be a defense if you showed that absent police action you'd | _never_ do anything like that and they essentially coerced you | into it. But if they know an officer is corrupt and routinely | sells data to criminals, then to obtain hard evidence by | staging a sting sale would be completely ok for them. In this | particular case, the officer reached out to the criminal for | money, so it 'd be hard for him to claim he'd never done it if | the police weren't involved. | ceejayoz wrote: | Entrapment has specific requirements to apply, namely, that the | person would not normally have committed the crime. | | Wearing someone down for years with harassment? Threats? Lies | like "you have to do this or someone would die?" Entrapment. | donatj wrote: | How is that different than offering someone 6 grand? Had no | one offered him six grand he never would have committed the | crime. | | Like there's literally no victim here other than the accused. | [deleted] | jlmorton wrote: | Entrapment is not against the law, but it is a legal defense at | trial against a charge. | | In any event, this is not entrapment, because it was not | coercive. It's not entrapment to offer someone a reasonable | amount of money to commit a crime, that's standard police work. | It's only entrapment if the person refuses the offer, and law | enforcement harasses them, repeatedly suggesting someone commit | a crime until they are eventually convinced to do it. | TameAntelope wrote: | Holy shit, it costs $6,000 to look up one license plate? | | Hollywood has really made this seem like a not-that-bad or not- | that-unusual activity. Good that they're cracking down on it, | but my expectations and reality are way out of whack on this. | rurabe wrote: | There are so many things going on here it's easy to conflate them | but here's how I read it: | | The CFAA is a law about _how_ access is attained not _what_ is | accessed. There may or may not be other laws that have penalties | for what is accessed given the nature of what is accessed, but | that is a separate issue from the CFAA. | | For example, I am sure that there is some statue I would be in | violation of for walking out of a CIA office with a binder of | classified information. This should be illegal regardless of how | it's accomplished. | | By contrast I think it should probably be a crime to gain access | to a system through either technical exploits or social | engineering, even if all you do is access cat memes that were | public anyway. | | Layered on these issues is whether you think judges should stick | to literal textual interpretations or rule based on the projected | impacts of their decisions. | | Personally, as many have laid out, a strict textual approach | opens the door to let private companies write felony law for | literally anything they want, which seems an unworkable way to | run a society. | | I think it's much more prudent to restrict this law to methods of | access and allow other laws dictate what can and can't be | accessed or used (copyright law, state secrets etc). | | A final question is how to test for whether methods are | authorized or not. Someone here suggested the test should be the | inclusion of "material deception". This I think falls short | because a lot of behavior that we would not want to criminalize | would satisfy the test. Should it be illegal to use a VPN? | Because I can see that being construed as material deception. | Sacha Baron Cohen dressed up as Borat is unquestionable material | deception but I don't think it should be illegal for him to use a | computer when doing so. | | Ultimately I don't know that there is a bright line definition, | but that's okay because we use a "reasonable person" standard a | lot in law, (and we should seek to seat judges that are the most | reasonable of us). | | - No reasonable person would impersonate another to customer | service to steal their phone and thus password. - A reasonable | person might want to use a VPN to avoid being tracked by private | corporations. - No reasonable person would exploit a zero day bug | on a major corporation. - A reasonable person might change their | user agent to see how a site looks on a phone. - A reasonable | person might look up and save articles from a database they have | access to. | tehwebguy wrote: | Wow, guess it's a good thing our courts love corrupt cops more | than they hate everyone else? | | What this guy did is one of the very few things that someone | should actually get hit with the CFAA for. He abused access to | police databases as a cop but he's off the hook because even | though he was explicitly not _allowed_ to do so, he was _able_ to | (as in, the system did not intend to prevent it). I guess if that | 's what it takes to narrow this bad law, fine! | QuadmasterXLII wrote: | It sure looks like it. I wonder if we can get any other unjust | laws overturned this way? With a single FBI sting that tricks a | cop into smoking weed on camera, we could end the drug war! | einpoklum wrote: | Abuse of power and CFAA violations aren't the same thing. Not | that the former is not rampant in the US and among the police | in particular... | walshemj wrote: | Murdoc's tabloids will love this | spoonjim wrote: | Oof. I don't like this decision, and surprised to see the breadth | of agreement from the Court. When you grant a person access to a | system (digital or physical), it's for a specific purpose. | Violating that purpose should be a criminal act. If I give a | plumber my house key to come in and fix my sink, and he goes and | he opens up my computer and looks at my files, that should be a | crime. If I grant a Geek Squadder access to my computer to get a | virus off my computer, and he looks at my private photos except | to the extent necessary to do the job I hired him to do, that | should be a crime. | | One could always say "Congress can remedy this with legislation" | but that body has become fully dysfunctional so we all know that | won't happen. | J5892 wrote: | Yes, it likely should be a criminal act, and it may even be | covered by one. | | But it should not be a violation of the CFAA. | | In your Geek Squadder case, you gave him access to the | computer. He may have used that access improperly, but he did | not increase his access through any illicit means. It is likely | a crime, but not one that should be covered by the CFAA. | | Your plumber case is a much different scenario. Also definitely | a crime, but you did not grant him access to the machine. So | it's possible that the CFAA should cover that, but I don't have | the knowledge required to answer that with any amount of | certainty. | rkagerer wrote: | An analogy: Imagine I give you a key which opens two doors, and | tell you to only use it on the first one. | | Entering the prohibited room isn't an offense under this act. But | circumventing a lock on a _third_ door for which you _don 't_ | have a key would be. | | i.e. The judges interpreted it as intending to capture hacking, | not policy violations. | colechristensen wrote: | Or stated differently, the judges explicitly denied giving | policy the force of law so that you can't be charged for a | crime for going against an employee handbook or license | agreement rule. | dogman144 wrote: | This quietly, but I think significantly, changes the | considerations for IAM and similar access controls. | | In the wild, these always trend towards overly permissive. Almost | every company, tech or not, mature or not, deals with this. | | This ruling shifts a fair amount of responsibility to IAM teams | to get it right now, as CFAA won't back them up as much anymore. | vageli wrote: | Company policy does not have the force of law, and violating | company policy should not be met with legal ramifications | unless those violations also transgress the law. Most company | policies forbid installing games on company laptops--should | that be treated as a felony? | dogman144 wrote: | Not apples to apples at all. | | IAM mistakes easily touch prod, laptop games don't. | NovemberWhiskey wrote: | I don't know it makes much difference for internal controls. | The implicit threat that backs the control is the disciplining | of the employee, not their criminal prosecution. | dogman144 wrote: | Disagree as someone who's built these, prosecution is an | ultimate fallback in AUPs, employee handbooks, etc. | | HR teams ultimately don't have a ton of teeth or willpower | unless there are laws involved, and now there is not legal | coverage. | NovemberWhiskey wrote: | If it matters, I was speaking as someone who led the | authorization platform team for a Fortune 100 company. I do | suppose this depends significantly on company culture. | | In my experience: failure to abide by company policy is | first-and-foremost a compliance issue; the company policy | framework definitely goes above and beyond the scope of | "what is criminal". | | HR is primarily there to provide to manage records of | employee conduct (e.g. in case of a pervasive pattern of | misconduct across a number of different controls) and a | sanctioning mechanism (hard conversation; formal reprimand; | separation). | dogman144 wrote: | Yeah def a company culture thing. | | I agree it's a compliance issue, this is def GRC, and | agree with your def of HR. | | What I notice is HR likes to really move on employees | when it has legal protection to do so. What a "pervasive | pattern of misconduct" is often has a law behind it in | some form, as otherwise you risk a wrongful termination | lawsuit. | | So, if you have a situation where an employee's pattern | of misconduct sources back to only, or at the root, IAM | allowing it (say an extreme scenario like consistently | nuking prod), there is now some gray area for those | wrongful termination suits. | driverdan wrote: | If a company's first line of defense for an employee violating | internal policies is getting them charged with a federal felony | then there is something very wrong with that company. | dogman144 wrote: | Hence "quietly but significantly." I certainly never said a | felony was the first option. | | From a defense in depth standpoint, the CFAA served as sort | of a final stopgap, in that it gives HR legal precedent to | fire someone who did something moronic with their IAM. | Dan_JiuJitsu wrote: | Just so I understand here; he's still on the hook for taking the | bribe and running the license plate, he's just been cleared of | unauthorized access because he was granted access to the system. | Right? Seems to me the prosecutor messed up when charging him | under CFAA, which as we can see here is a complex and nuanced | section of law, instead of something straightforward, if less | sexy like public corruption/bribery. | nickysielicki wrote: | In what world is it reasonable for the FBI to go around and bribe | small-town police officers in order to charge them under the | CFAA? WTF. | ok123456 wrote: | They do anti-corruption stings like this. The most famous was | probably ABSCAM (https://en.wikipedia.org/wiki/Abscam). | | I'd rather them devote resources to anti-corruption like this | than "drugs". | devmor wrote: | I am loath to defend agents of the government, law officers or | otherwise; but I have to agree with the decision here. | | Van Buren violated department policy, and perhaps other laws in | his conduct. But he did not gain unauthorized access to a system. | He already had authorized access - he just used it improperly. | | Similarly, if I were granted access to my company's production | database to perform some kind of operation that required me to | read/write data, and I used that privilege to access financial | records of customers, I would certainly be violating my company's | policy and likely some privacy and financial laws. But it would | not be gaining unauthorized access, as I was explicitly granted | access to that system - just for a different purpose. | theginger wrote: | Summary please. | | It's a lengthy document with quite complex language. | | The impression I got from reading the introduction is it was | pretty clear which way the ruling went, but some of the comments | here seem to be based on the opposite so there seems to be some | confusion. | | So please can someone please sum it up in 1 or 2 lines? | 1vuio0pswjnm7 wrote: | "[E]xceed[ing] authorised access" (EAA) may occur where | information accessed is located in "areas of the computer that | are off-limits", e.g., "files, folders, databases". Access for | an unauthorised purpose does not amount to EAA. | | I was aiming for 160 chars (2 lines of 80 chars). Not so easy. | smsm42 wrote: | The question was if you accessed the data which you are | authorized to access (like police database for a policeman) but | then used it for the purposes which are not part of your duties | (like a corrupt policeman selling these data to criminals) can | you be charged under CFAA. The SCOTUS said no, if you are | authorized, then you are authorized, and the fact that you used | the data later for an unauthorized purpose does not make the | access itself a crime under CFAA (still could be a crime under | a different law, of course). Thus, they restricted the reading | of CFAA to a much narrower scope than the government wanted to | apply. | smsm42 wrote: | Also this probably blows a huge hole in the "EULA violation | is a CFAA crime" argument. I'd say it probably would not | survive this decision. | CA0DA wrote: | How would the Aaron Schwartz case been affected if this decision | had been made before? | [deleted] | dudeinjapan wrote: | The SC made the right call here. In order to dissent, you have to | claim that all improper/illegal acts done with computers | constitute a form of hacking under the CFAA, since the prevailing | laws do not "authorize" one to use the computer in that fashion. ___________________________________________________________________ (page generated 2021-06-03 23:00 UTC)