[HN Gopher] US Supreme Court Restricts Scope of Computer Fraud a...
___________________________________________________________________
US Supreme Court Restricts Scope of Computer Fraud and Abuse Act
[pdf]
Author : panarky
Score : 271 points
Date : 2021-06-03 15:25 UTC (7 hours ago)
(HTM) web link (www.supremecourt.gov)
(TXT) w3m dump (www.supremecourt.gov)
| blakesterz wrote:
| I guess this is the part that matters most?
|
| "We must decide whether Van Buren also violated the Computer
| Fraud and Abuse Act of 1986 (CFAA), which makes it illegal "to
| access a computer with authorization and to use such access to
| obtain or alter information in the computer that the accesser is
| not entitled so to obtain or alter." He did not. This provision
| covers those who obtain information from particular areas in the
| computer--such as files, folders, or databases--to which their
| computer access does not extend. It does not cover those who,
| like Van Buren, have improper motives for obtaining information
| that is otherwise available to them"
|
| Thomas, Alito and Roberts dissented, and I hate to say it, but I
| agree with them.
|
| "The question here is straightforward: Would an ordinary reader
| of the English language understand Van Buren to have "exceed[ed]
| authorized access" to the database when he used it under
| circumstances that were expressly forbidden? In my view, the
| answer is yes. The necessary precondition that permitted him to
| obtain that data was absent."
|
| That's Thomas dissenting.
| fooey wrote:
| I very much feel their ruling is correct. The CFAA is intended
| to target "hackers," not policy violations.
|
| Here's a quote from the ruling making the point that applying
| the law to something like access policy is far too broad to be
| viable
|
| > The Government's interpretation of the "exceeds authorized
| access" clause would attach criminal penalties to a
| breathtaking amount of commonplace computer activity. For
| instance, employers commonly state that computers and
| electronic devices can be used only for business purposes. On
| the Government's reading, an employee who sends a personal
| e-mail or reads the news using a work computer has violated the
| CFAA. The Government speculates that other provisions might
| limit its prosecutorial power, but its charging practice and
| policy indicate otherwise. The Government's approach would also
| inject arbitrariness into the assessment of criminal liability,
| because whether conduct like Van Buren's violated the CFAA
| would depend on how an employer phrased the policy violated
| perihelions wrote:
| _" The CFAA is intended to target "hackers," not policy
| violations."_
|
| However, they also explicitly write that they're _not_
| addressing that distinction (footnote 8 on page 13, to my
| best ability to parse it). There 's some semantic gap between
| "policy violations" and "improper motives".
|
| _" For present purposes, we need not address whether this
| inquiry turns only on technological (or "code-based")
| limitations on access, or instead also looks to limits
| contained in contracts or policies. Cf. Brief for Orin Kerr
| as Amicus Curiae 7 (urging adoption of code-based
| approach)."_
|
| I discovered this nuance from Orin Kerr's twitter (the same
| one cited in this footnote); he says he's not confident he
| understands this footnote.
|
| https://twitter.com/OrinKerr/status/1400461828807741455
| tialaramex wrote:
| I don't know if it _can_ always be avoided, but I think it
| makes sense for a court to _try_ to avoid the code-based
| approach.
|
| It seems to be all downside (exploiting bugs will typically
| be OK because the _code_ said this was OK, even if the
| people who wrote it never intended that) with no upside
| (the things rendered illegal already don 't work, because
| code forbade them).
|
| Courts ought to be familiar with the fact that they're
| present mostly to make decisions about fuzzy things like
| "Did the accused intend to cause harm to the victim?" and
| not simple mechanics like "Does being injected with cyanide
| kill people?".
| Natsu wrote:
| I agree, I don't think it can always be code-only. If you
| socially engineer someone into giving you an account, I
| really think that should be fraud.
|
| I've thought about this for some years now and looked at
| various different cases tried under the CFAA or otherwise
| claimed to be unauthorized access.
|
| I personally believe it should turn on whether or not you
| used deception as the means to gain access. That is, but
| for your deception, would you have gained access?
|
| This, in my mind, proves they were up to no good ( _mens
| rea_ ) and acts to make it clearer whether or not you
| were authorized. It also connects to the idea that the
| law is mean to counteract a type of _fraud_ in general. I
| mean, how can anyone say they had authorized access if
| they had to lie to gain access?
| [deleted]
| anonymousiam wrote:
| I agree that the ruling is correct. The officer was granted
| the accesses he had, and he was fully authorized to use them.
| He violated a department policy by using his access
| improperly. The government wants to turn policy violations
| into a felony, and even set up a sting operation in this case
| to get a felony conviction. The officer should be
| disciplined/fired/etc. for violating department policy, but
| the CFAA should not be used to turn him into a felon.
| yarcob wrote:
| The problem is that the officer is corrupt, and he should
| be charged for taking a bribe. I don't think corruption is
| "just a policy violation", but I don't know enough about US
| law to know if taking bribes make you a felon or not (I
| would hope so, but I assume it depends on circumstances).
|
| In any case, it shouldn't matter that he used a computer to
| commit a crime. If he had gotten the relevant information
| by reading them from a paper file or by asking a coworker
| the crime should be the same, in my opinion.
| Natsu wrote:
| I think that what the officer did is likely illegal for
| other reasons. So this ruling doesn't mean the officer
| deserves no punishment, it just means they committed some
| other crime than unauthorized access to a computer
| system.
| rPlayer6554 wrote:
| But then he should be charged under the set of laws
| pertaining to bribery or corruption. I don't think anyone
| here disagrees with that. The question is should this
| crime of corruption get a massive additional pentaly
| specifically because it was committed on a computer.
|
| The supreme court says that this law has a purpose: to
| catch people who gain unauthorized access to computers.
| If laws are interpreted too broadly, they can be used to
| overcharge people. The example given by the supreme court
| is that if this law covers unauthorized use of a computer
| you are authorized to have access to, then sending a
| personal email on a work computer can be a felony.
| pessimizer wrote:
| I'm absolutely fine with him being charged with a felony,
| as he is a corrupt government official, I just don't think
| that felony should be hacking.
| thayne wrote:
| I would hope that there are stronger protections against
| such abuses of authorization. What if a police officer (or
| system administrator, etc.) sold information about a
| potential victim to a criminal that resulted in physical or
| financial harm to said victim?
| the_pwner224 wrote:
| That is / should be illegal on its own, the fact that the
| information was obtained through a computer system
| instead of a paper file doesn't change anything in your
| example.
| secothroa wrote:
| >and he was fully authorized to use them
|
| This line is the crux, and the problem is that "authorized"
| means subtle, yet critically important, different things to
| different people.
|
| The officer was surely "authorized" in the sense that he
| had technical authorization to log into the system and
| accomplish the task.
|
| But in the sense that "authorization" is defined by more
| than just technical controls, and also has to do with many
| dynamic situations that technical controls can't often
| restrict (or just aren't in place), it doesn't sound like
| was "authorized".
|
| Think of walking into a restaurant and they have a sign
| that says "Employees Only Behind Counter". Even if there
| was no technical/physical control preventing you from going
| behind the counter (eg there was no locked door or anything
| like that), I think it would still be understood that you
| as a customer do not have "authorization" to go back there.
|
| In my experience as a security consultant, my technically-
| minded clients typically think of "authorization" as the
| first way, defined by technical controls and thinking that
| lack of technical controls in a system means they have
| carte blanche to do whatever they want with that system.
| But my experience with anyone outside of tech is that they
| don't think of it that way at all, and that just because
| you have the physical/technical ability to do something
| does not make it okay to do that.
|
| "Authorization" is an overloaded term and the CFAA suffer
| for it, but personally I do not think an average person
| would think the officer was "authorized" to do what he did,
| even if he did have the technical access to do it.
|
| The points about "average employees technically violating
| the CFAA by doing stuff like reading the news on their work
| laptop" are valid concerns and I think they need to be
| resolved, but I think that is a completely different
| concern than someone like this officer abusing their access
| for legitimately bad acts.
| zuminator wrote:
| I like your restaurant analogy but I draw the opposite
| conclusion. Imagine a restaurant which has a sign saying,
| "You must be dressed appropriately to enter - no shoes,
| no socks, no service." A family goes in to dine. About
| halfway through their meal, the cops come and arrest the
| father. Turns out, although nobody noticed at first, he
| wasn't wearing socks, and was therefore trespassing
| according to store policy. Is that fair though? It's one
| thing to ask the family to leave, but should the father
| be charged with an actual crime for unauthorized entry?
| greycol wrote:
| >Think of walking into a restaurant and they have a sign
| that says "Employees Only Behind Counter". Even if there
| was no technical/physical control preventing you from
| going behind the counter (eg there was no locked door or
| anything like that), I think it would still be understood
| that you as a customer do not have "authorization" to go
| back there.
|
| But if a customer was invited back there because they
| said they wanted to thank the chef? They're told not to
| touch anything, they touch something. Do we view that
| touching something as breaking the same rule as someone
| who just walks back there uninvited or is it another rule
| they are breaking?
|
| I can definitely see arguments for both views. Especially
| compelling to me based on the analogy is once you've
| taken the first unauthorized by policy action no other
| actions other than leaving would be authorized though
| this interpretation would lead to its own absurdities.
| Natsu wrote:
| You're right about a lot of that, but there are huge
| problems with making mere policy violations into federal
| felonies. We want to stop people from hacking stuff, but
| at the same time, we can't do that by giving every random
| company the power to make things into federal felonies
| via their own complex and often-ignored rules.
|
| I posted up thread too, but my own personal view is that
| unauthorized access should hinge on whether the person
| used deception to obtain access. That provides a clear
| separation between lawful and unlawful conduct without
| giving private parties the power to define new felonies.
|
| With computers, I don't think that the proverbial
| "employees only" sign on a load of private data means
| anything and the incentive should be on the business to
| provide a proper access control there. Meanwhile, if they
| add a guard who asks "are you an employee?" and you lie
| to them to get access, I would say you're unauthorized.
|
| That gives us some semblance of _mens rea_ while not
| going to far in any direction, I believe.
| bryanrasmussen wrote:
| >I very much feel their ruling is correct. The CFAA is
| intended to target "hackers," not policy violations.
|
| ok, but devil's advocate for a second - much hacking is
| actually just lying to people to get access to things you
| shouldn't have access to - so pretty much closer to policy
| violations than the stuff most people associate with
| 'hacking'
| colechristensen wrote:
| But let's say you called someone on the phone and lied to
| them to gain access to a computer system, you committed
| wire fraud doing so. It's just a different crime because
| the thing you did wrong involves lying on the phone.
| anonymousiam wrote:
| If you obtain access using somebody else's credentials
| through fraud, _YOU_ are not authorized. Thus you are
| violating the CFAA.
| ClumsyPilot wrote:
| Obtaining access through fraud is fraud. Why do you need
| to morph one crime into another?
|
| Think Breaking and Entering requires breakin. If someone
| gave you keys under false pretences, thats a different
| crime.
| jdmichal wrote:
| I believe this would still be covered by the _first_
| clause, the one not even being argued in this decision.
|
| > Subsection (a)(2) specifies two distinct ways of
| obtaining information unlawfully--first, when an individual
| "accesses a computer without authorization," SS1030(a)(2),
| and second, when an individual "exceeds authorized access"
| by accessing a computer "with authorization" and then
| obtaining information he is "not entitled so to obtain,"
| SSSS1030(a)(2), (e)(6).
|
| I fraudulently obtain and use credentials to a system which
| authorize another person to access it. I am still
| "accessing a computer without authorization", because those
| credentials never authorized _me_.
|
| This starts to get _really_ fuzzy if I fraudulently have
| credentials explicitly granted to me...
| zozbot234 wrote:
| That's fraud and it's always been illegal.
| secothroa wrote:
| CFAA stands for "Computer _Fraud_ and Abuse Act ". The
| entire purpose of the law is that is addresses that type
| of fraud.
| buu700 wrote:
| My initial reaction was to agree with you, but based on my
| reading of the law I actually have to support the majority
| opinion: https://www.law.cornell.edu/uscode/text/18/1030#e_6
|
| _(6) the term "exceeds authorized access" means to access a
| computer with authorization and to use such access to obtain or
| alter information in the computer that the accesser is not
| entitled so to obtain or alter;_
|
| The language here is relatively narrow. Nathan did "access a
| computer with authorization", and he didn't obtain information
| that he was "not entitled so to obtain or alter".
|
| He may have obtained it for a _purpose_ that was expressly
| forbidden by the department policy, but he was permitted to
| obtain the information in and of itself. To qualify as being
| "under circumstances that were expressly forbidden", I think it
| would have to be a situation wherein he wasn't allowed to
| obtain the information in general, e.g. if he were only allowed
| to access it within certain hours or with a superior present.
|
| It's like the difference between giving someone your phone
| (which, for the sake of argument, qualifies as a "protected
| computer" in this scenario) and telling them that they can go
| through your photos so long as they don't take out their own
| phone and photograph any of them, and telling them that they
| can only open your photos while you're watching.
|
| It would be extremely rude in either case to secretly take your
| phone and exfiltrate your photos -- and may even still be a
| crime in and of itself (and/or lead to follow-on crimes) -- but
| I wouldn't consider the former to violate this particular law.
| cletus wrote:
| A policy change by your employer shouldn't lead to the
| possibility of a criminal prosecution for "hacking" and that's
| the net result of what you're suggesting and what that
| interpretation would mean.
|
| To me this is the definition of overreach.
| generalizations wrote:
| It sounds similar to the problem of someone with access to a
| file cabinet, where they aren't allowed to use some of the
| files in the cabinet, but are allowed to access other files in
| the same cabinet.
| AnimalMuppet wrote:
| And if do access the files that they aren't allowed to, we
| don't charge them with safecracking. They did _something_ ,
| but safecracking doesn't fit.
| badRNG wrote:
| Similar to if someone does something they aren't supposed
| to in a business, they aren't immediately charged with
| breaking and entering or trespass.
| duxup wrote:
| Plain English to me seems like the person in question had
| authorized access.
|
| His actions maybe should be criminal in some way (time to write
| a law maybe), but his access was authorized.
| fossuser wrote:
| > "This provision covers those who obtain information from
| particular areas in the computer--such as files, folders, or
| databases--to which their computer access does not extend. It
| does not cover those who, like Van Buren, have improper motives
| for obtaining information that is otherwise available to them"
|
| I think this would have acquitted Aaron Swartz (though he
| likely would have been acquitted anyway since they didn't even
| allege improper motive iirc).
|
| In his case he accessed journals that were available to him via
| MIT's open network. There is the second issue of his
| trespassing in a closet to leave a laptop on the network, but
| that would have been minor when compared to the string of
| felonies they charged him with which was tied to the CFAA.
|
| This seems like a good restriction to me at first glance.
| vmception wrote:
| Do you think people will be able to acknowledge that
| predisposition to suicide is what killed him and not the
| gravity of the DA obsession to convict him? The US doesn't
| have the most people in prison because long sentences caused
| everyone to kill themselves first, its because people do the
| time.
|
| I just see so much focus on needing to identify a catalyst
| (which doesn't affect most people) instead of the pre-
| existing mental health issue of the person. I think this
| hampers the necessary conversations to be had on suicide.
| 0003 wrote:
| Look up the eggshell doctrine. From wikipedia: The rule
| states that, in a tort case, the unexpected frailty of the
| injured person is not a valid defense to the seriousness of
| any injury caused to them.
| vmception wrote:
| this wasn't a tort case, it was a criminal case
|
| even if the family sued the state civilly there would be
| nothing for the state to defend against
| thebooktocome wrote:
| I don't see the need to assign a single cause to a given
| event, to the exclusion of all others. Most events that
| occur have multiple causes, with varying degrees of
| importance.
| vmception wrote:
| people are misattributing the most important one, then:
|
| planning and following through with the action
| incompatible with maintaining a consciousness on this
| plane of existence.
| [deleted]
| fossuser wrote:
| > "Do you think people will be able to acknowledge that
| predisposition to suicide is what killed him and not the
| gravity of the DA obsession to convict him?"
|
| This is itself presumptive and I think largely wrong. Like
| most things it's a combination of factors. No doubt Aaron
| was struggling with depression, but facing federal prison
| with a trial defense costing $1.5M (even if acquitted in
| the end) is enough pressure to break even an otherwise
| healthy person.
|
| I don't understand the need for people to frame this as you
| are.
|
| I suspect Aaron would be alive today if the prosecution had
| shown some discretion. In this specific case, it would also
| have been the right/just thing as well as the legally
| correct thing.
| vmception wrote:
| > I don't understand the need for people to frame this as
| you are.
|
| Then perhaps the bigger issue, to me, is that this level
| of analysis is not given to other people, where it should
| be as well.
| fossuser wrote:
| On that we agree - if there's one thing in short supply
| on the internet, it's nuance.
| appleflaxen wrote:
| Would that make you a criminal if you mistyped your URL, and
| ended up looking at someone else's document?
|
| It seems like it would to me, and I don't like that
| interpretation.
|
| If you want me to keep out, then keep me out. Don't make
| something available to me and then accuse me of a felony when I
| see it.
| nullc wrote:
| Civil and criminal law are distinct for a reason. In criminal
| law the consequences for your wrongs are much more dire-- you
| face the power of the state against you and you can be denied
| your freedom.
|
| Triggering the CFAA on policy violations creates a general tool
| to convert civil matters into not just a crime, but a
| relatively serious one! It essentially lets system operators
| write private law with criminal enforcement without the
| oversight of the public.
|
| To give a silly example: Your landlord prohibits you from
| painting your walls. Their payments website has some terms of
| US that makes it a CFAA violation to use their site with
| painted walls. Suddenly what otherwise might be a lawsuit over
| the $500 cost to repaint is a state funded attack where you
| face ten years in prison.
|
| It's clearly wrong to use the CFAA that way in the silly
| example, but it's no less wrong in less silly cases. Saying the
| CFAA can't be used to create private criminal law doesn't mean
| that policy violations can't be prosecuted-- but it means they
| should be prosecuted under other laws (with intentionally
| matched terms and penalties) or as civil matters.
| lumost wrote:
| This is the outcome of a legislative branch which can no longer
| legislate effectively. The courts have to "interpret" the laws
| into a sensible form of common law which minimizes the
| difference between the legislation, and practical governance
| concerns.
|
| Interpreting the law in such a way as to make _private_ policy
| makers the arbiters of _felony_ charges is not compatible with
| our society. This would be the equivalent of a restaurant
| letting you in, asking you to take a seat, and then charging
| you with a felony for choosing the wrong seat as listed on a
| tiny sign in the back of the restaurant.
| austincheney wrote:
| _Exceeded authorized access_ commonly refers to privilege
| escalation, which means access to a resource beyond his /her
| level of granted permission, whether by modification of
| technical controls, social engineering, or physical access.
| That is not what happened here. The access to the resource
| occurred exactly in accordance with the access controls and
| authority granted, but the motivation and intention were in
| clear ethical violation.
|
| Judge Barret said exactly this in her opinion.
| [deleted]
| lmkg wrote:
| The heart of this is the difference between legal authorization
| vs technical authorization. Legally, it is (or rather, used to
| be) OK to say "you have have access to data X for purpose Y."
| While the technical controls could not enforce restrictions on
| the purpose, it was understood that purpose limitation was
| valid. There was an understanding that technical controls are
| only an _approximation_ of policy, and it 's the policy that
| has legal weight when determining what access is authorized.
|
| Hopefully this particular case also runs afoul of other laws.
| Like something about granting access to unauthorized
| individuals, which is what the defendant was doing (selling
| government data). That can, and perhaps should be, separately
| illegal from accessing data for improper purposes.
| phkahler wrote:
| >> The heart of this is the difference between legal
| authorization vs technical authorization.
|
| We must not confuse legal authorization (felony for
| violation) with private or contractual agreements.
|
| Any law that allows private entities to define what actions
| constitute a felony is bad, and hopefully unconstitutional.
|
| Technical access measures are somewhat like physical locks.
| Terms of use are more similar to contracts. IANAL so my
| analogies my be crap.
| ClumsyPilot wrote:
| This is a very good point and what people often confuse.
|
| There is a crime of breaking and entering - and thats well
| defined.
|
| Then there are permissions of: "you can be in my house as
| long as you dont use the bathrolm and only wear pink socks"
| - if a person were to wear green socks, you can icik them
| out, but it does not suddenly become a home invasion
| kayodelycaon wrote:
| The argument against the dissent is CFAA defines the terms
| used. Ordinary reader rule does not apply in that circumstance
| and nor should it.
| burkaman wrote:
| The court's hypothetical is useful:
|
| > For instance, employers commonly state that computers and
| electronic devices can be used only for business purposes. On
| the Government's reading, an employee who sends a personal
| e-mail or reads the news using a work computer has violated the
| CFAA.
|
| Accessing data for a forbidden reason should be a fireable
| offense, but not criminal. So if Thomas is right, it's a very
| bad law.
|
| I'm not sure I agree with him though. I think if you asked an
| average person, they might say something like "yes I am
| authorized to access that database, because I have credentials,
| but I'm not supposed to without a good reason". I don't think
| there is a single plain English reading of this phrase that any
| large group of people would agree on.
| ncallaway wrote:
| I don't agree.
|
| I think the other judges have the better reading of the
| specific language of the text. Thomas, Alito, and Roberts don't
| even take their dissent on the interpretation offered by the
| Government, but have to craft their own--extremely broad--
| interpretation of "entitled".
|
| Since I think the opinion (at least, the little bit of it that
| I've skimmed) makes a fairly compelling case around the
| majority's interpretation of the words "so" and "entitled" I
| won't rehash that here. But, if we back up to the purpose and
| intent of the legislation, I think this outcome also better
| aligns with that.
|
| The CFAA was designed to curtain the unauthorized use of
| computers. To make it illegal for people to deliberately
| circumventing the security measures built into computers to
| obtain information or cause other harm. If I hand you a
| computer, tell you the password, and ask you to login to my
| computer and respond to an email for me, but then ask you not
| to look in the `Taxes` folder on the desktop _should_ it be a
| felony for you to open the `Taxes` folder? That conceptually
| feels wrong to me. I have violated your trust, sure, but I
| haven 't committed fraud, and I haven't abused any access
| control mechanisms on the computer.
|
| Or another scenario: your work gives you a work computer, and
| has a paragraph in the employee handbook that says you are
| never allowed to visit news.ycombinator.com on the work
| computer. At some point while working at the company, you visit
| news.ycombinator.com on the work computer. Have you just
| committed a felony? You've "exceeded the authorized access", if
| you interpret "entitled" and "authorized" as broadly as Thomas,
| Alito, and Roberts seem to. Should that really be a felony?
|
| That interpretation leads to such a massive broadening of
| felony criminal liability. It doesn't gut-check for me. That,
| combined with what I perceive as the better textual reading of
| the phrases "so" and "entitled", I have to disagree with you. I
| think the other 6 justices had the better argument at multiple
| levels.
| merpnderp wrote:
| I initially agreed with Justice Thomas's viewpoint but you
| really make it clear that he is wrong.
| WillPostForFood wrote:
| _That interpretation leads to such a massive broadening of
| felony criminal liability. It doesn 't gut-check for me_
|
| I agree with you, it totally fails the gut check, but it is
| because the law is poorly written. The Supreme Court bailed
| out the lawmakers by winging it here. The minority opinion is
| the worse, but more accurate plain reading of the law.
| zozbot234 wrote:
| The alternative would be declaring the act void for
| vagueness. A statute that "forbids or requires something in
| terms so vague that men of common intelligence must
| necessarily guess at its meaning and differ as to its
| application" violates the constitutional provision of due
| process. So the SCOTUS ruling makes sense in terms of
| choosing the least disruptive option wrt. general
| expectations.
| Natsu wrote:
| Not really. I would just read the word "fraud" in the
| very title of the act and decide that means that whether
| or not the access was unauthorized depends on whether you
| lied to gain access.
|
| I won't claim that test is perfect, but it's a lot
| clearer than the current standards and when I go through
| past cases, I don't see it coming to any indefensible
| conclusions.
|
| Yes, that would agree with the majority holding in this
| case. It's important to note that even if they didn't
| violate the CFAA, they likely broke plenty of other laws
| and can be punished for that.
|
| So this conduct absolutely deserves to be punished, just
| not under the CFAA.
| ncallaway wrote:
| Well, that ignores the part where I agree with the textual
| reading and interpretation of the majority.
|
| I think the majority opinion is also the more accurate
| plain reading of the law. So, from my perspective, no
| bailing out is necessary. The gut check and the plain
| reading both seem to align.
| WillPostForFood wrote:
| _intentionally accesses a computer without authorization
| or exceeds authorized access_
|
| Did he exceed authorized access? He did, and therefore he
| broke the plain reading of the law. The law should be
| better, and separate violating access controls from
| violation of access policy, but it doesn't.
| unyttigfjelltol wrote:
| Judges interpret ambiguous laws narrowly to avoid criminal
| liability, as you say.[1] Three justices dissented though, I
| take it, because in their view the words weren't ambiguous,
| even if leniency would have been the better public policy.
|
| [1] https://en.m.wikipedia.org/wiki/Rule_of_lenity
| mywittyname wrote:
| > but then ask you not to look in the `Taxes` folder on the
| desktop should it be a felony for you to open the `Taxes`
| folder? That conceptually feels wrong to me. I have violated
| your trust, sure, but I haven't committed fraud
|
| You accessed privileged information that you were explicitly
| not allowed. To me, asking you not to look at certain
| information is effectively the same as putting a password on
| it, then having you break it. In both cases, the intent of
| the owner is clear: do not access these files. And in both
| cases, the actions of the perpetrator very clearly disregard
| the owners intent.
|
| Your example about accessing a website is not the same. It's
| pretty clear that the person going to new.ycombinator.com is
| not stealing or accessing privileged information. There have
| been separate rulings dealing with whether or not employees
| can use corporate equipment for personal reasons.
|
| A more analogous example to the case at hand would be an
| employee at Google/Humana/Tinder selling your private details
| to a third party. This ruling means that such activity is
| perfectly legal, even if the terms of their employment state
| the opposite.
|
| Unless, of course, the only reason the court ruled in favor
| of this person was that they are a police officer. But I
| guess we have to wait until the FBI attempts to press charges
| against someone at Google selling personal details to third
| parties to find out.
| andrewjl wrote:
| > A more analogous example to the case at hand would be an
| employee at Google/Humana/Tinder selling your private
| details to a third party.
|
| That's not a realistic example because something like that
| would be covered by an NDA or alternatively, if in EU or
| California, by data policies.
| nokcha wrote:
| >There have been separate rulings dealing with whether or
| not employees can use corporate equipment for personal
| reasons.
|
| Such rulings are about different laws. The government's
| interpretation would criminalize violating a protected
| computer's terms-of-service regardless of whether it is
| part of a corporate intranet or an ordinary website on the
| Internet. And yes, the government has pursued criminals
| charges for violating a website's ToS; see _United States
| v. Drew_ , 259 F.R.D. 449 (C.D. Cal. 2009).
|
| >A more analogous example to the case at hand would be an
| employee at Google/Humana/Tinder selling your private
| details to a third party. This ruling means that such
| activity is perfectly legal, even if the terms of their
| employment state the opposite.
|
| As to Humana, it would likely be a criminal HIPAA
| violation.
| johnnyapol wrote:
| > A more analogous example to the case at hand would be an
| employee at Google/Humana/Tinder selling your private
| details to a third party. This ruling means that such
| activity is perfectly legal, even if the terms of their
| employment state the opposite.
|
| No, this isn't what this means at all. This ruling just
| means you haven't committed a crime under the Computer
| Fraud and Abuse Act by accessing that data if you didn't
| "hack" to get access to it. Depending on the information
| you sold, you could've violated other laws and you
| definitely violated the Non-Disclosure agreement you signed
| with those companies.
|
| For reference, the cop in this case had other convictions
| under wire fraud laws that weren't changed by this.
| ncallaway wrote:
| > To me, asking you not to look at certain information is
| effectively the same as putting a password on it, then
| having you break it.
|
| To me, they are not effectively the same at all. I see
| there being two different types of "authorization" at play.
| One is a mechanical authorization built into the computer
| systems (a password, for example). The other is a policy
| authorization, built into how I convey to you what is
| "allowed" on the system. They seem fundamentally different
| to me.
|
| To 6 justices on the Supreme Court, they are not
| effectively the same thing either. To 3 justices, they are.
| The ambiguity of English is definitely annoying when we get
| into the nitty-gritty of laws!
|
| > A more analogous example to the case at hand would be an
| employee at Google/Humana/Tinder selling your private
| details to a third party. This ruling means that such
| activity is perfectly legal, even if the terms of their
| employment state the opposite.
|
| That's simply not what this ruling holds. That would be an
| accurate summary of this ruling if and only if the CFAA
| were the only law that exists in the United States Code!
|
| "Legal" is also an ambiguous word in this context. Such an
| activity may break other laws, or it may not. I'm not
| familiar with what other criminal liability may attach to
| such behavior. But that activity almost certainly would be
| a civil violation. I would potentially be able to sue
| Google/Humana/Tinder (though there's a chance their privacy
| policy already gives them the option to sell my
| information). And Google/Humana/Tinder could certainly sue
| the rogue employee for damages caused by such a sale.
|
| If Google/Humana/Tinder wanted to go further to protect
| themselves from bad-acting employees, they could use actual
| access controls (instead of mere policy) to restrict the
| ability for employees to access such data and only give
| access to employees who need such access. While it's
| certainly not the thing a Supreme Court ruling should hinge
| on, it's a nice added bonus that this gives a further
| incentive for companies to implement _actual_ least access
| control rather than just making it a policy.
| jdmichal wrote:
| > If Google/Humana/Tinder wanted to go further to protect
| themselves from bad-acting employees, they could use
| actual access controls (instead of mere policy) to
| restrict the ability for employees to access such data
| and only give access to employees who need such access.
|
| I'm pretty sure the exact fact that Amazon did _not_
| appropriate restrict access in this way is one of the
| points being considered in the antitrust case.
| Specifically, that people who shouldn 't have been able
| to, and who shouldn't have by policy, still could access
| seller data.
| wlesieutre wrote:
| For the requisite car analogy: one is like a mechanic taking
| your car for a joyride after you give them the key, the other
| is a stranger taking it for a joyride after breaking in and
| stealing it out of your driveway.
|
| One of them is misusing a car that you gave them access to,
| the other one is stealing it.
| pessimizer wrote:
| That's because you're assuming the stranger doesn't return
| the car. If your mechanic takes your car for a joyride
| after you give them the key for purposes of repairing your
| car, and a stranger steals my car when I'm not using it and
| brings it back before I notice it's missing, I don't
| understand why one is any different or worse than the
| other.
| NovemberWhiskey wrote:
| In my jurisdiction, a mechanic who takes a car for a
| joyride is committing a class A misdemeanor (unauthorized
| use of a vehicle in the third degree)
|
| ref. https://codes.findlaw.com/ny/penal-law/pen-
| sect-165-05.html
|
| In other jurisdictions (like, say, New Hampshire), that
| same case falls into the definition of theft.
|
| http://www.gencourt.state.nh.us/rsa/html/LXII/637/637-9.htm
| [deleted]
| nostrademons wrote:
| There's an important distinction between levels of government and
| civil vs. criminal penalties here. From section a.4 of the
| holding:
|
| "The relevant question, however, is not whether Van Buren
| exceeded his authorized access but whether he exceeded his
| authorized access as the CFAA defines that phrase."
|
| The CFAA is a federal statute that governs unauthorized access to
| computer systems. When granting authorized access to computer
| systems, other organizations (whether states or police
| departments or private companies) are free to set their own
| policies, and they can enforce those policies with the mechanisms
| they have available to them, like terminating the offending
| officer or revoking his computer access (at which point further
| access _would_ be a CFAA violation). But _can they then use the
| language of the CFAA to criminalize violations of their own
| authorization policies_? This holding says no - the CFAA covers
| the initial access to the computer system, and then violation of
| more granular access policy is a civil matter between the
| individual parties.
|
| This is consistent with several other recent court positions.
| There was a recent case to criminalize ToU violations [1]; the
| court ruled that this is an overbroad reading of the CFAA and ToU
| violations were civil matters between parties. When Anthony
| Levandowski used Google's network to download self-driving car
| plans and sell them to Uber [2], he was prosecuted under "theft
| of trade secret" laws, not under the CFAA. It's also analogous to
| perpetual free speech battles, where the court has repeatedly
| ruled that private parties are free to restrict speech on their
| own property, and that the 1st amendment applies only to the
| _government_. In general liberal democracies seek to apply
| restrictions as narrowly as possible and have private parties
| work out contracts and consequences amongst themselves, only
| stepping in when there is no way to enforce such agreements
| without an outside power.
|
| [1] https://arstechnica.com/tech-policy/2020/03/court-
| violating-...
|
| [2] https://www.justice.gov/usao-ndca/pr/former-uber-
| executive-s...
| dsr_ wrote:
| This seems to me to be the correct decision. Van Buren should
| have been charged with:
|
| GA 332: Abuse of official power GA 333: Exceeding official powers
| GA 338: Bribe-taking
|
| and, Federally, 18USC 201, which prohibits public officials from
| taking bribes.
| a1369209993 wrote:
| There should be some snooping/violation-of-privacy charges as
| well, but otherwise that sounds about right. CFAA is not
| relevant here.
| a1369209993 wrote:
| > CFAA is not relevant here.
|
| Er, CFAA is not relevant to the criminal case againt Van
| Buren, I mean.
| Natsu wrote:
| I'd imagine they were, by the time things get to the Supreme
| Court, they're dealing with very narrow issues of law and not
| the entire case.
| cletus wrote:
| I'm surprised at the negativity here. I agree with this decision.
|
| When I saw it was a 6-3 decision my first instinct was "oh
| another conservative-liberal divide" but no it isn't. I'm
| actually surprised to find Thomas dissenting since he's just. a
| stickler for the literal text.
|
| To me the ruling seems correct: the offender may have exceeded
| department rules and such access by that measure was
| "unauthorized" but he was not an unauthorized user to the system.
|
| It's refreshing to see limits to the overreach on what
| constitutes "hacking". This isn't hacking.
|
| Were this ruling in effect when Aaron Swartz was charged, I very
| much suspect it would've invalidated the hacking charges under
| the CFAA (since he used a guest account he had access to).
| tomschlick wrote:
| > I'm surprised at the negativity here.
|
| If this were not a ruling in favor of a police officer, I feel
| that you would see a much more positive response. The past few
| years of political craziness have warped peoples' minds where
| they can't recognize a good thing anymore.
| J5892 wrote:
| Agreed.
|
| My initial reaction to the headline I read was anger that an
| officer got away with abusing his power. But upon learning the
| details, it's clear that a CFAA violation is an inappropriate
| charge here.
| r0m4n0 wrote:
| Yep, I think this was a small win for the opponents of CFAA but
| this is a total show of force of the supreme court. This law is
| famously broad and to interpret it in its literal sense would
| mean the mass majority of the nation would be federal criminals
| (they point out some of the scenarios in the article).
|
| Instead of law makers fixing the problem, the supreme court is
| effectively reading between the lines. Luckily IMHO they are
| doing the right thing here and will put this particular
| employer based scenario to rest.
|
| Now to clarify on the countless other holes in the CFAA...
| duxup wrote:
| Agreed.
|
| This is a policy violation, and maybe that should be illegal in
| some way or have consequences. I'd be ok with that, but it's
| just not "exceed authorized access". The person in this case
| was authorized.
|
| The idea that you could be authorized, but suddenly not because
| of a policy doesn't make sense to me and that's kinda weird
| because that seems right up Thomas's literal interpretation
| alley (come on Thomas, use it right for once).
|
| Imagine Comcast changes a policy, and suddenly you're in
| violation of Computer Fraud and Abuse Act (CFAA).
| secothroa wrote:
| Policies, by definition, are ways by which authorization
| rules are enforced. If the officer violated a policy, they
| also by definition violated their authorizations.
|
| >The idea that you could be authorized, but suddenly not
|
| They were never authorized to use this system in this way, so
| there was not a "authorized but then suddenly not". The
| officer's authorization was static: not authorized.
|
| Authorization is more than just the technical controls in a
| system, and lack of a technical control to prevent an officer
| using a system in certain ways does not mean said officer is
| authorized to use the system in any way they please.
| badRNG wrote:
| I think we are confusing two concepts here.
|
| The officer's _actions_ were unauthorized on a system he
| was provided access to. He didn 't gain unauthorized access
| to a system, he failed to follow the rules on a system he
| already had access to.
| a1369209993 wrote:
| > The officer's actions were unauthorized on a system he
| was provided access to.
|
| Er, no, that's specifically not the case. The officer's
| actions _on the system_ in fact _were_ authorized; he was
| authorized to look up licence plate information. The
| officer 's actions _later_ - specifically sharing private
| information with a third party - were criminal[0], and
| would be criminal regardless of whether a computer was
| even involved.
|
| 0: Give or take legislative and judicial corruption a al
| misrepresenting theft as 'civil forfeiture', but that's
| not really the point.
| treis wrote:
| Authorization isn't just yes or no though. It's
| conditional on intent.
|
| Say I give a neighborhood kid a key to come water my
| plants while I'm out of town. If they use that key to
| gain access and throw a party they're trespassing. I
| don't see why it should be different for a CPU
| JumpCrisscross wrote:
| > _Authorization isn 't just yes or no though_
|
| For purposes of this law, it is. The Government agreed
| "that Van Buren 'access[ed] a computer with authorization
| HK' when he used his patrol-car computer and valid
| credentials to log into the law enforcement database"
| [1].
|
| "The dispute is whether Van Buren was 'entitled so to
| obtain' the record." The Court found that Van Buren _was_
| entitled so to obtain the record, in that entitlement is
| the operative word. If the file is electronically
| accessible to the user, they have entitlement to so,
| *i.e. electronically, obtain it. They aren't properly
| authorised or permitted or something else to it. But
| those weren't the words used. "Authorized," unadorned,
| and "entitled so to."
|
| [1] https://www.supreme
| court.gov/opinions/20pdf/19-783_k53l.pdf
| treis wrote:
| I know, but it doesn't make sense. It's like arguing the
| kid was entitled to throw a party because he had my key.
| JumpCrisscross wrote:
| > _like arguing the kid was entitled to throw a party
| because he had my key_
|
| Did he steal your key? Or did you give it to him? If he
| stole your key, he wasn't entitled to your house. But if
| you gave him the key, he had entitlement to it.
|
| If this were a friend, not a kid, you _might_ be able to
| sue her for throwing a party in your house without
| permission. You would not be able to get her charged with
| breaking and entering because she overstepped the
| conditions that came with your key.
| treis wrote:
| B&E requires intent to commit a felony in my state. If we
| change the story to the kid using the key to rob me then
| yes he will get convicted of B&E (burglary in my state).
| Dylan16807 wrote:
| So if they come in with full intent to water the plants
| and walk off with your things, and do so, they'll be
| charged with "breaking and entering"? That really
| _shouldn 't_ be a valid charge. It should be pure
| larceny.
| treis wrote:
| In that case no because they didn't enter with the intent
| to commit a felony.
| Dylan16807 wrote:
| You may not have caught the first-minute edit I made. Or
| I worded it badly.
|
| Presume they had intent to water _and_ steal at a felony
| level when they entered.
| treis wrote:
| Then that's a crime. The innocent motivation doesn't wash
| away the guilty one.
| Dylan16807 wrote:
| If they walked through an already-open door with the
| intent to steal, entering wouldn't be burglary, at least
| not under the rules I'm used to.
|
| If they had to break open the door, entering would be
| burglary.
|
| Using a key they were supposed to have, to enter a
| building they were supposed to be able to enter? I would
| say it _should_ be treated like the former case, not the
| latter case.
|
| US law may not always agree with me, and apparently there
| are states where shoplifting can count as burglary. But I
| say stretching the definition that far is ridiculous.
| secothroa wrote:
| It isn't just about access to the system, but access to
| the data as well, and he accessed data that he was not
| authorized to access. That is "exceeding authorized
| access".
|
| - Logging onto the system: officer has technical access
| to log on and is authorized to log on, no problem
|
| - Accessing normal data the officer needs for legitimate
| reason: officer has technical access to this data and is
| authorized to access it, no problem
|
| - Accessing data for the purpose of a bribe: officer has
| technical access to this data, but is not authorized to
| access it, thus they are exceeding their authorized
| access
| kstrauser wrote:
| His crime was violating the policy. He clearly did not
| hack into the computer system to get the data, and that's
| what the CFAA was meant to prosecute.
|
| Put another way, he didn't work around any computer
| controls to get at the information.
| secothroa wrote:
| >Put another way, he didn't work around any computer
| controls to get at the information.
|
| That's irrelevant. You can do unauthorized things without
| having to "work around" controls.
|
| >He clearly did not hack into the computer system to get
| the data, and that's what the CFAA was meant to
| prosecute.
|
| The CFAA was meant to prevent computer-related crimes
| including but not limited to unauthorized access, fraud,
| abuse, etc, which this clearly was.
| chipsa wrote:
| CFAA now is about violating technical controls, not
| policy controls. If policy says "Don't look at HR data",
| but nothing technically stops you from looking, it's not
| a CFAA violation to look.
| [deleted]
| hackinthebochs wrote:
| >You can do unauthorized things without having to "work
| around" controls.
|
| The term "unauthorized" is overloaded. There is one sense
| in which he was unauthorized by policy. There is another
| sense by which he was authorized by technical access.
| These are separate scenarios and separate violations. It
| makes no sense for unauthorized-by-policy to be a
| violation of a computer hacking statute.
| kstrauser wrote:
| > That's irrelevant. You can do unauthorized things
| without having to "work around" controls.
|
| SCOTUS disagrees with you, and so do I.
|
| > The CFAA was meant to prevent computer-related crimes
| including but not limited to unauthorized access, fraud,
| abuse, etc, which this clearly was.
|
| He didn't do any of those with respect to the computer
| system. He accessed a resource that he had authorization
| to access as part of his job. He misused it, but didn't
| break into the system or gain access by fraud. His
| reasons for accessing the data were wrong, but his access
| was authorized.
| secothroa wrote:
| >His reasons for accessing the data were wrong
|
| This, by definition, makes his access unauthorized.
| That's the point. "Authorization" is more than just
| technical controls. He was _not authorized_ to access the
| data for this reason.
| badRNG wrote:
| > This is a policy violation, and maybe that should be
| illegal in some way or have consequences.
|
| Sure, and usually policy violations that matter do involve
| civil consequences (e.g. litigation to recover damages) but
| not handing out felonies or putting someone in prison for a
| decade+.
| duxup wrote:
| I could see a law that has stricter terms for sensitive
| data, and civil servants with access to it. I'd be ok with
| that. Maybe even felonies depending on what occurred and
| whatever the law is.
|
| It's just the law in this case doesn't fit what happened.
| [deleted]
| stefan_ wrote:
| This person sold access to restricted data and abused his
| privileged position as civil servant to do so. Maybe it's
| not CFAA, but I'm sure it should be a felony of some sort.
| nullc wrote:
| Absolutely, and it probably already is. CFAA is just such
| an absurdly overbroad law with rather harsh penalties
| that it gets charged even when there are other more
| reasonable alternatives.
| xbar wrote:
| Yes, as the Court noted in its opinion regarding the
| Government's charging practices.
| JumpCrisscross wrote:
| > _it 's not CFAA, but I'm sure it should be a felony of
| some sort_
|
| The Opinion says he "was charged with and convicted of
| honest-services wire fraud," though that it was vacated
| in a separate holding [1].
|
| [1] https://www.supremecourt.gov/opinions/20pdf/19-783_k5
| 3l.pdf
| belorn wrote:
| If he directly shared or transfer the police database
| information to someone else then it looks very odd that
| the government went after him for hacking. Sharing of
| classified information is a more serious crime, and
| hindering a police investigation is also a crime.
| caymanjim wrote:
| Police data is not classified.
| belorn wrote:
| It isn't? I would think that information such as of
| people with hidden identity or informants was not public
| information but rather something for which the government
| has deemed sensitive enough to protect. Am I wrong?
|
| In my country any information related to a on-going
| investigation is automatically classified. Police are not
| allowed under the law to divulge to the press any such
| information.
| caymanjim wrote:
| In the US, barring other qualifiers, "classified" is a
| federal designation for national security data. Police
| are not federal. I could get more pedantic about it;
| there are designations like "Unclassified/Law Enforcement
| Sensitive" for data that can be shared with police. The
| police are allowed to keep various information
| internally. I'm not sure that license plate ownership
| information is protected at all, though, for this
| specific case.
| akiselev wrote:
| (big IANAL) Criminal penalties for revealing information
| would be a major affront to the First amendment since
| they're the most direct way for the government to
| restrict speech. The Federal classification system only
| works because the individuals given security clearance
| enter into a special contractual agreement with the
| Federal government - only someone who has made that
| agreement can face criminal penalties for revealing
| classified information. A random pedestrian who's never
| even been allowed near classified information but
| stumbled onto it can't be prosecuted (at least, not once
| it gets to a sane appeals court).
|
| That's to say: it'd be up to each state to create its own
| criminal laws regarding what they consider confidential
| information (if any) and make sure those laws are
| constitutional by explicitly writing them into the police
| officers' contracts. Much of the time, changing internal
| policy is all that states can realistically do because
| some federal statute or constitutional clause has
| supremacy - even something that's normally a fireable
| offense at a private business might run afoul of
| constitutional protections when done by a state
| government or agency.
| threatofrain wrote:
| Out of curiosity, how would such a contract work?
| Normally the violation of a contract just means a tort
| and not criminal penalty. Surely you cannot simply say
| something like, "I agree that exercising my
| constitutional rights is now a federal offense."
| kelnos wrote:
| My (possibly flawed) understanding is that "classified
| information" in the US is pretty much a federal
| government thing, and is usually used for information
| relating to national security or spy-agency type stuff.
|
| I would imagine information about informants or people
| with hidden identities would be considered privileged
| information in whatever state/local law enforcement
| jurisdiction created it, but penalties for leaking or
| distributing it would be a local matter, and many
| localities might not have specific laws on their books to
| deal with it.
|
| Regarding on-going investigations, police aren't supposed
| to publicly discuss information about investigations, but
| they may if they deem that there is a public interest in
| doing so, or that doing so will help them with their
| case. I may very well be wrong here, but my gut suggests
| that in most places in the US there are likely not
| specific laws against public disclosure of details of
| ongoing investigations.
| nostrademons wrote:
| He should be charged with the laws against that, then,
| rather than the CFAA. This other poster mentioned some:
|
| https://news.ycombinator.com/item?id=27385624
| kstrauser wrote:
| Exactly. If he were charged with "bribery, and also
| public urination" for this, while I wouldn't be happy
| about what he did, it definitely wouldn't be public
| urination.
| xbar wrote:
| Well argued, counselor.
| throwsadlfksjdf wrote:
| I find both your and GP's swipes against Justice Thomas to be
| perplexing. Literal interpretation of the Constitution's
| meaning at the time it was written is exactly what you should
| want, not whatever that single judge feels should be or
| should have been the meaning. I don't see how that's a bad
| trait.
| jrochkind1 wrote:
| I wonder if the negative commenters are unaware of the history
| of CFAA prosecution abuse, and are coming at this for the first
| time only through this case.
|
| This is very, very good news.
|
| https://www.eff.org/deeplinks/2020/01/eff-asks-supreme-court...
|
| https://www.eff.org/deeplinks/2021/06/supreme-court-overturn...
| pdonis wrote:
| I don't find either side's arguments particularly compelling in
| this case; they all look like legalistic sophistry to me more
| than anything else. I think the fundamental problem is that the
| CFAA is bad law, which means that there will be reasonable
| arguments on both sides any time it comes up in a court case.
| What should really happen is that the law should be changed.
| jdmichal wrote:
| > What should really happen is that the law should be
| changed.
|
| And the way to make _that_ happen is by limiting the scope of
| the law as much as possible, in order to force law makers to
| rewrite it. Which is what has happened here. If law makers
| _did_ intend the rejected interpretation, then they should
| rewrite it to clarify such.
| pdonis wrote:
| _> the way to make that happen is by limiting the scope of
| the law as much as possible, in order to force law makers
| to rewrite it._
|
| I doubt that will actually happen, though. Our system
| basically assumes that laws will be written to be vague and
| ambiguous, and that courts will clarify the interpretation
| over time. I don't think this is a very good way to run
| things, but it seems to be the way we've settled on.
| jdmichal wrote:
| Maybe. But it's a pretty strong component of the
| interaction between legislature and judiciary. Ambiguity
| should be resolved to make fewer things criminal. And
| then the legislature can disambiguate if they deem it
| important enough business to do so.
|
| https://en.wikipedia.org/wiki/Rule_of_lenity
| ggggtez wrote:
| It's almost as if textualism is just an excuse, and not
| actually a coherent legal view...
|
| I have mixed feelings on the ruling. It sounds to me like a
| crime did occur. But the CFAA is _also_ overly vague... Without
| reading the details of the case and the statue, it 's hard for
| me to be sure what to think here.
|
| I guess looking forward, this will force police departments and
| others to be more explicit in their access policies, which it
| sounds like here there just wasn't any?
|
| I guess that's a win?
| Natsu wrote:
| I agree with this decision, but I've always advocated my own
| personal test for whether access is 'unauthorized' or not.
|
| Basically, I would say that unauthorized access should require
| some material deception to gain access. So if you socially
| engineer your way in, it's unauthorized--you lied to someone.
| If you use a computer virus, it's unauthorized--you lied to the
| computer to get it to execute that code, probably
| misrepresenting it as some other type of data. If they set the
| permissions wrong or it's just an AUP thing, it's not
| unauthorized access. Though, as here, it might be against the
| law for some other reason (violation of privacy or whatever).
|
| This would avoid catching people out because someone set
| permissions to give too much access or wrote overbroad AUPs
| that shouldn't be turned into federal felonies, while providing
| a nice bright line because you can actually test whether, if
| not for the deception, they'd have been granted access to the
| system, especially the computer side of that. So the people who
| used anonymous FTP with a fake email won't become felons
| because it's easy to prove the system lets in everyone no
| matter what their email is set to, whereas the person using
| someone else's credentials lied to the system about who they
| are and should get punished, etc.
|
| I think that my test would be consistent with this holding, but
| remember that this is merely my view of how the law should be.
| It's not a description of how the law is, it's something I
| would advocate that I believe provides a reasonable boundary
| between authorized an unauthorized access that's both clear and
| testable.
| repiret wrote:
| I think the problem with the deception test is that if the
| login screen for the DMV database access had a checkbox that
| said "I am only using the system in a way consistent with
| department policies" or something, then you could argue that
| checking that box was deceitful.
|
| I think Congress' intent with CCFA was to criminalize
| hacking. There are already laws against fraud, so we don't
| need a deceitfulness test to catch, say, social engineering.
| The problem I think is that CCFA was written in 1986 and not
| enough people understood what hacking was well enough to
| write it down clearly in the law, so instead the "excess of
| authorized access" language is in the law, and has been used
| to criminalize lots of things that aren't really hacking and
| Congress didn't intend to criminalize with the CCFA.
| pessimizer wrote:
| What if I, as your employer, say "you're not authorized to
| look at records that haven't been assigned to you" and you
| then look at a record that hasn't been assigned to you - is
| that unauthorized access?
|
| edit: I certainly don't agree that the distinction between
| access to a file in a file cabinet and a record on a computer
| should be significant. I think it's a dumb law. But the
| unauthorized access test is straightforward. If I work at a
| company that disallows internet browsing other than for work
| purposes and I visit my facebook page, I think that's a clear
| case of hacking under the "authorized access" test, and my
| only real defense would be that I needed to check facebook
| for work.
| secothroa wrote:
| >is that unauthorized access?
|
| Yes. And SCOTUS's problem is that they think the punishment
| for visiting facebook at work shouldn't be the same as the
| punishment for stealing company records - and that's fine,
| and of course something I agree with. But SCOTUS should
| actually address _that_ directly, rather than going down
| this weird path of trying to warp the definition of
| "authorized".
| shuntress wrote:
| That is "hacking" the same way opening an unlocked filing
| cabinet you were told never to look in is "lockpicking".
| Natsu wrote:
| I'd say that should only be fraud if you lied to get
| access, I don't agree with interpretations that allow any
| random AUP to create new felonies.
|
| Don't get me wrong, I understand how that can be
| straightforwardly interpreted as "unauthorized access." I'm
| advocating for what the law _should_ be, in my view. The
| idea is to make a bright line that gives a test for _mens
| rea_ to avoid over-criminalization while not being too
| unreasonable. I 'm sure there could be scenarios I haven't
| thought of that would turn out poorly.
| bitcurious wrote:
| >Basically, I would say that unauthorized access should
| require some material deception to gain access. So if you
| socially engineer your way in, it's unauthorized--you lied to
| someone. If you use a computer virus, it's unauthorized--you
| lied to the computer to get it to execute that code, probably
| misrepresenting it as some other type of data. If they set
| the permissions wrong or it's just an AUP thing, it's not
| unauthorized access. Though, as here, it might be against the
| law for some other reason (violation of privacy or whatever).
|
| Interesting test. What if you set your user agent to chrome
| instead of firefox and that grants you access to a website?
| aidenn0 wrote:
| That would arguably be wire-fraud (you lied over an
| electronic network in order to get some material gain).
| Natsu wrote:
| Yeah, cases like this are a bit harder. Part of the idea is
| how important the lie is to gaining access. It is difficult
| to distinguish a relatively harmless lie like this, or
| claiming to have actually read the 1,000,000 page AUP, to
| someone impersonating another.
| a1369209993 wrote:
| > What if you set your user agent to chrome instead of
| firefox and that grants you access to a website?
|
| The website is at fault. This is no different than lying
| about your religion to bypass a discriminatory shop owner.
| agency wrote:
| I would not say "no different." Religion is a protected
| class[1], web browser preference is not. The law does not
| treat all kinds of discrimination equivalently.
|
| [1] https://en.m.wikipedia.org/wiki/Protected_group
| haswell wrote:
| But where do you draw the line re: which type of "lie"
| matters?
|
| A naive generalization might say that "lying" by setting
| a header = illegal. But clearly there is a difference
| between setting the Authorization header and setting the
| User-Agent header.
|
| But what about headers that are not so well-defined? What
| about custom headers?
|
| I'm not disagreeing with you, but these are the first
| questions that come to mind.
|
| It seems that a judge would have to carefully consider
| the design of the system, and whether the vector that
| granted access was something that was clearly negligent
| on the part of the site owner, or was truly an attack
| vector and deemed illegal. But it seems difficult to
| formulate a universal test for this.
| kenjackson wrote:
| > Basically, I would say that unauthorized access should
| require some material deception to gain access.
|
| This seems like a poor definition, IMO.
|
| For example, what if I tell you I'm going to club you over
| the head and get access to the computer you're on. And I do
| so. There was no material deception. I did exactly what I
| said.
|
| Another example is what if I just walk around the counter
| while you're not there. There is no one around to deceive.
| mananaysiempre wrote:
| > For example, what if I tell you I'm going to club you
| over the head and get access to the computer you're on.
| [...] There is no material deception.
|
| Then there's no hacking and you should be charged with
| assault or whatever else is appropriate.
|
| > Another example is what if I just walk around the counter
| while you're not there.
|
| Then it doesn't matter if there was an unlocked computer or
| an unlocked cabinet behind that counter.
|
| There doesn't need to be, for every illegal act X, an extra
| special law or punishment for "X but a computer was
| involved".
|
| People want a criminal penalty for hacking and maybe
| they're right, but you shouldn't try to cover every
| undesirable act that involves a computer with a single law
| any more than every undesirable act that involves a piece
| of paper is covered with one. You also shouldn't claim that
| breaking down a door is the same as walking through an open
| one, even when both constitute (among other things)
| trespassing.
| takeda wrote:
| But then that would be considered hacking only if you used
| an axe.
| dane-pgp wrote:
| Presumably the argument is that you are "deceiving" the
| computer into thinking that you are the person whose head
| you clubbed, or who walked away from the counter.
| kenjackson wrote:
| Only if the computer had some type of technical
| authorization associated with it.
| Natsu wrote:
| > For example, what if I tell you I'm going to club you
| over the head and get access to the computer you're on
|
| That's either a true threat, or assault and battery. It
| only becomes computer fraud if you fraudulently use my
| credentials to access the computer.
|
| > Another example is what if I just walk around the counter
| while you're not there. There is no one around to deceive.
|
| That's trespass, not computer fraud.
|
| There's more than one crime on the books. Saying that
| something isn't computer fraud isn't claiming that all
| those things should be legal.
|
| Like in this case, I think it should be bribery more than
| computer fraud.
| kenjackson wrote:
| > That's trespass, not computer fraud.
|
| Why is that trespassing? There's no sign that says I
| can't go behind the counter? In fact, in many cases you
| can go behind the counter, just you aren't expected to
| jump on their computer. The problem isn't that I'm behind
| the counter. The problem is that I'm using a computer I'm
| not authorized to use -- it's just whoever set up the
| computer didn't set up an authorization gateway.
|
| But really access to the computer really isn't fraud.
| It's what you do once your at the computer that matters
| much more. Its authorization for the action that matter,
| not access authorization.
| mananaysiempre wrote:
| There's actually an argument to be had around how illegal
| this should be.
|
| Let's take computers out of the picture again. Suppose I
| know that an organization O throws out folders with
| sensitive data D into the trash can in their publicly-
| accessible lobby every Friday at 3 pm. People that want
| to know D pay me to come there at 2:55, root through the
| can and write down the pieces that they need.
|
| Should what I am doing be illegal? Whatever your answer,
| is it in any way different from walking around that same
| lobby sniffing O's open Wi-Fi network except for
| "computers were involved"?
| telotortium wrote:
| I wonder how the market for compliance and authorization tools
| and services will react to this ruling. I would guess they will
| have a lot of increased business - even though employers can
| always fire an employee that violates policy, it will probably
| strengthen their case to ensure that the employee is also
| breaking the law, especially in unionized workplaces or other
| places where formal policies around termination are especially
| important.
| elliekelly wrote:
| What a silly and cynical comment. Most employers (the _vast
| majority_ even!) aren't looking to set their employees up to
| become criminals when they fail to follow company policy.
| Usually the goal of a policy is to have a fail-safe: where even
| if the policy is violated the law isn't.
| viztor wrote:
| I don't think the agent's action is proper, but it had nothing to
| do with computer fraud per se, nor is it the legislation
| intention.
|
| Suppose someone was granted access to evidence room, but had a
| look at the evidence that is not of his case, or a case file that
| he have access to for reasons not work-related. And those
| generally falls in the area of internal regulation, in which case
| the agency takes the legal blame for the agent, and should it
| take actions against the agent, it might be supported.
|
| Plain simply, even if those records are physical the referred
| agent could have done the same thing. Logically, it's not a
| matter of abusive conduct through computer, it's a matter of
| abusing public power.
| chmod600 wrote:
| Questions:
|
| * Should there be a distinction between violating a written
| policy; and bypassing a technical barrier?
|
| * Should there be a distinction between doing something that you
| are ordinarily permitted to do, but for an unpermitted purpose;
| and doing something that you are just never permitted to do?
|
| It seems that the Court didn't answer the first question, which
| is more interesting to me.
| duxup wrote:
| If someone has access to data, but uses it inappropriately. That
| doesn't sound like something that should be covered by "exceed
| authorized access".
|
| If someone is using that information inappropriately, maybe that
| should be a against the law, but not the Computer Fraud and Abuse
| Act.
| Animats wrote:
| This is an important decision, in that it means that violations
| of terms of service are not criminal offenses.
| supergirl wrote:
| did the court clarify what "authorized" means? seems that the
| opinion hinges on that definition.
|
| does it mean just knowing the right user name and password? what
| if the login page also had a check box "I agree to use this
| system only to perform my job". if the cop lies and checks this
| box, does it mean he's not authorized?
|
| if lying about the check box is OK, what if he had used a
| colleague's user name and password for the criminal activity?
| he's still authorized just he didn't use his own password to
| commit the crime. would that still not make it CFAA?
| WCSTombs wrote:
| Here's EFF's take, which IMO is correct:
| https://www.eff.org/deeplinks/2021/06/supreme-court-overturn...
| jmspring wrote:
| I wonder if the raid in 1990 on Steve Jackson Games fell under
| this particular act.
|
| http://www.sjgames.com/SS/
| ncallaway wrote:
| Almost certainly not. My understanding of the SJ Games raid was
| that the Secret Service was issued a search warrant by a court
| prior to the raid.
|
| 18 U.S. Code SS 1030 (f) explicitly excepts lawfully authorized
| investigative activity of a law enforcement agency. The Secret
| Service is such a law enforcement agency, the raid was an
| investigatory activity, and since they obtained a search
| warrant prior to the raid it was a "lawfully authorized"
| search.
|
| As such, even if there _might_ be liability based on their
| actions under the other portions of the section (I have no idea
| on this aspect, I 'm not too familiar with the details of what
| they did as part of the search and seizure), the waiver in (f)
| is extremely broad and would apply to the Secret Service in
| that particular case.
|
| > (f) This section does not prohibit any lawfully authorized
| investigative, protective, or intelligence activity of a law
| enforcement agency of the United States, a State, or a
| political subdivision of a State, or of an intelligence agency
| of the United States.
|
| https://www.law.cornell.edu/uscode/text/18/1030
| jmspring wrote:
| Thanks!
| aftbit wrote:
| I wonder if this precedent would have had any impact on weev's
| case. https://en.wikipedia.org/wiki/Weev#AT&T_data_breach
| Miner49er wrote:
| I was wondering the same thing, and I don't think it would. I
| am not a lawyer, and I guess we can't know why the jury voted
| guilty, but I think the arguments were that weev didn't have
| authorization. They argued that there was several "gates" weev
| had to go through to access AT&T's data.
|
| 1) User agent. He changed the user agent to that of an iPad.
|
| 2) The ID themselves. He only had to increment them to get to a
| new one, but they argued these were like a password.
|
| 3) Going to a URL that wasn't linked from somewhere. I'm not
| kidding.
|
| https://www.techdirt.com/articles/20130929/15371724695/dojs-...
|
| So I think in weev's case, they argued he never had
| authorization at all.
|
| Whereas, in Van Buren's case, "The parties agree that Van Buren
| "access[ed] a computer with authorization". So the problem was
| whether or not he exceeded authorization, not if he had it in
| the first place.
| smsm42 wrote:
| SCOTUSblog analysis: https://www.scotusblog.com/2021/06/diverse-
| six-justice-major...
| donatj wrote:
| https://en.wikipedia.org/wiki/Van_Buren_v._United_States
|
| > The FBI set up a sting operation and instructed Albo to offer
| Van Buren US$6,000, but in exchange, to request Van Buren look up
| a license plate on the Georgia Crime Information Center (GCIC) he
| had authorized access to, as to see if its registered owner, a
| stripper, was an undercover officer
|
| What ever happened to entrapment being... you know... against the
| law?
|
| Like I'm aware these sorts of stings happen all the time. What I
| don't understand is why it's generally found to be OK.
| smsm42 wrote:
| The police routinely catches drug dealers by selling them or
| buying from them drugs. This is no different. Entrapment would
| only be a defense if you showed that absent police action you'd
| _never_ do anything like that and they essentially coerced you
| into it. But if they know an officer is corrupt and routinely
| sells data to criminals, then to obtain hard evidence by
| staging a sting sale would be completely ok for them. In this
| particular case, the officer reached out to the criminal for
| money, so it 'd be hard for him to claim he'd never done it if
| the police weren't involved.
| ceejayoz wrote:
| Entrapment has specific requirements to apply, namely, that the
| person would not normally have committed the crime.
|
| Wearing someone down for years with harassment? Threats? Lies
| like "you have to do this or someone would die?" Entrapment.
| donatj wrote:
| How is that different than offering someone 6 grand? Had no
| one offered him six grand he never would have committed the
| crime.
|
| Like there's literally no victim here other than the accused.
| [deleted]
| jlmorton wrote:
| Entrapment is not against the law, but it is a legal defense at
| trial against a charge.
|
| In any event, this is not entrapment, because it was not
| coercive. It's not entrapment to offer someone a reasonable
| amount of money to commit a crime, that's standard police work.
| It's only entrapment if the person refuses the offer, and law
| enforcement harasses them, repeatedly suggesting someone commit
| a crime until they are eventually convinced to do it.
| TameAntelope wrote:
| Holy shit, it costs $6,000 to look up one license plate?
|
| Hollywood has really made this seem like a not-that-bad or not-
| that-unusual activity. Good that they're cracking down on it,
| but my expectations and reality are way out of whack on this.
| rurabe wrote:
| There are so many things going on here it's easy to conflate them
| but here's how I read it:
|
| The CFAA is a law about _how_ access is attained not _what_ is
| accessed. There may or may not be other laws that have penalties
| for what is accessed given the nature of what is accessed, but
| that is a separate issue from the CFAA.
|
| For example, I am sure that there is some statue I would be in
| violation of for walking out of a CIA office with a binder of
| classified information. This should be illegal regardless of how
| it's accomplished.
|
| By contrast I think it should probably be a crime to gain access
| to a system through either technical exploits or social
| engineering, even if all you do is access cat memes that were
| public anyway.
|
| Layered on these issues is whether you think judges should stick
| to literal textual interpretations or rule based on the projected
| impacts of their decisions.
|
| Personally, as many have laid out, a strict textual approach
| opens the door to let private companies write felony law for
| literally anything they want, which seems an unworkable way to
| run a society.
|
| I think it's much more prudent to restrict this law to methods of
| access and allow other laws dictate what can and can't be
| accessed or used (copyright law, state secrets etc).
|
| A final question is how to test for whether methods are
| authorized or not. Someone here suggested the test should be the
| inclusion of "material deception". This I think falls short
| because a lot of behavior that we would not want to criminalize
| would satisfy the test. Should it be illegal to use a VPN?
| Because I can see that being construed as material deception.
| Sacha Baron Cohen dressed up as Borat is unquestionable material
| deception but I don't think it should be illegal for him to use a
| computer when doing so.
|
| Ultimately I don't know that there is a bright line definition,
| but that's okay because we use a "reasonable person" standard a
| lot in law, (and we should seek to seat judges that are the most
| reasonable of us).
|
| - No reasonable person would impersonate another to customer
| service to steal their phone and thus password. - A reasonable
| person might want to use a VPN to avoid being tracked by private
| corporations. - No reasonable person would exploit a zero day bug
| on a major corporation. - A reasonable person might change their
| user agent to see how a site looks on a phone. - A reasonable
| person might look up and save articles from a database they have
| access to.
| tehwebguy wrote:
| Wow, guess it's a good thing our courts love corrupt cops more
| than they hate everyone else?
|
| What this guy did is one of the very few things that someone
| should actually get hit with the CFAA for. He abused access to
| police databases as a cop but he's off the hook because even
| though he was explicitly not _allowed_ to do so, he was _able_ to
| (as in, the system did not intend to prevent it). I guess if that
| 's what it takes to narrow this bad law, fine!
| QuadmasterXLII wrote:
| It sure looks like it. I wonder if we can get any other unjust
| laws overturned this way? With a single FBI sting that tricks a
| cop into smoking weed on camera, we could end the drug war!
| einpoklum wrote:
| Abuse of power and CFAA violations aren't the same thing. Not
| that the former is not rampant in the US and among the police
| in particular...
| walshemj wrote:
| Murdoc's tabloids will love this
| spoonjim wrote:
| Oof. I don't like this decision, and surprised to see the breadth
| of agreement from the Court. When you grant a person access to a
| system (digital or physical), it's for a specific purpose.
| Violating that purpose should be a criminal act. If I give a
| plumber my house key to come in and fix my sink, and he goes and
| he opens up my computer and looks at my files, that should be a
| crime. If I grant a Geek Squadder access to my computer to get a
| virus off my computer, and he looks at my private photos except
| to the extent necessary to do the job I hired him to do, that
| should be a crime.
|
| One could always say "Congress can remedy this with legislation"
| but that body has become fully dysfunctional so we all know that
| won't happen.
| J5892 wrote:
| Yes, it likely should be a criminal act, and it may even be
| covered by one.
|
| But it should not be a violation of the CFAA.
|
| In your Geek Squadder case, you gave him access to the
| computer. He may have used that access improperly, but he did
| not increase his access through any illicit means. It is likely
| a crime, but not one that should be covered by the CFAA.
|
| Your plumber case is a much different scenario. Also definitely
| a crime, but you did not grant him access to the machine. So
| it's possible that the CFAA should cover that, but I don't have
| the knowledge required to answer that with any amount of
| certainty.
| rkagerer wrote:
| An analogy: Imagine I give you a key which opens two doors, and
| tell you to only use it on the first one.
|
| Entering the prohibited room isn't an offense under this act. But
| circumventing a lock on a _third_ door for which you _don 't_
| have a key would be.
|
| i.e. The judges interpreted it as intending to capture hacking,
| not policy violations.
| colechristensen wrote:
| Or stated differently, the judges explicitly denied giving
| policy the force of law so that you can't be charged for a
| crime for going against an employee handbook or license
| agreement rule.
| dogman144 wrote:
| This quietly, but I think significantly, changes the
| considerations for IAM and similar access controls.
|
| In the wild, these always trend towards overly permissive. Almost
| every company, tech or not, mature or not, deals with this.
|
| This ruling shifts a fair amount of responsibility to IAM teams
| to get it right now, as CFAA won't back them up as much anymore.
| vageli wrote:
| Company policy does not have the force of law, and violating
| company policy should not be met with legal ramifications
| unless those violations also transgress the law. Most company
| policies forbid installing games on company laptops--should
| that be treated as a felony?
| dogman144 wrote:
| Not apples to apples at all.
|
| IAM mistakes easily touch prod, laptop games don't.
| NovemberWhiskey wrote:
| I don't know it makes much difference for internal controls.
| The implicit threat that backs the control is the disciplining
| of the employee, not their criminal prosecution.
| dogman144 wrote:
| Disagree as someone who's built these, prosecution is an
| ultimate fallback in AUPs, employee handbooks, etc.
|
| HR teams ultimately don't have a ton of teeth or willpower
| unless there are laws involved, and now there is not legal
| coverage.
| NovemberWhiskey wrote:
| If it matters, I was speaking as someone who led the
| authorization platform team for a Fortune 100 company. I do
| suppose this depends significantly on company culture.
|
| In my experience: failure to abide by company policy is
| first-and-foremost a compliance issue; the company policy
| framework definitely goes above and beyond the scope of
| "what is criminal".
|
| HR is primarily there to provide to manage records of
| employee conduct (e.g. in case of a pervasive pattern of
| misconduct across a number of different controls) and a
| sanctioning mechanism (hard conversation; formal reprimand;
| separation).
| dogman144 wrote:
| Yeah def a company culture thing.
|
| I agree it's a compliance issue, this is def GRC, and
| agree with your def of HR.
|
| What I notice is HR likes to really move on employees
| when it has legal protection to do so. What a "pervasive
| pattern of misconduct" is often has a law behind it in
| some form, as otherwise you risk a wrongful termination
| lawsuit.
|
| So, if you have a situation where an employee's pattern
| of misconduct sources back to only, or at the root, IAM
| allowing it (say an extreme scenario like consistently
| nuking prod), there is now some gray area for those
| wrongful termination suits.
| driverdan wrote:
| If a company's first line of defense for an employee violating
| internal policies is getting them charged with a federal felony
| then there is something very wrong with that company.
| dogman144 wrote:
| Hence "quietly but significantly." I certainly never said a
| felony was the first option.
|
| From a defense in depth standpoint, the CFAA served as sort
| of a final stopgap, in that it gives HR legal precedent to
| fire someone who did something moronic with their IAM.
| Dan_JiuJitsu wrote:
| Just so I understand here; he's still on the hook for taking the
| bribe and running the license plate, he's just been cleared of
| unauthorized access because he was granted access to the system.
| Right? Seems to me the prosecutor messed up when charging him
| under CFAA, which as we can see here is a complex and nuanced
| section of law, instead of something straightforward, if less
| sexy like public corruption/bribery.
| nickysielicki wrote:
| In what world is it reasonable for the FBI to go around and bribe
| small-town police officers in order to charge them under the
| CFAA? WTF.
| ok123456 wrote:
| They do anti-corruption stings like this. The most famous was
| probably ABSCAM (https://en.wikipedia.org/wiki/Abscam).
|
| I'd rather them devote resources to anti-corruption like this
| than "drugs".
| devmor wrote:
| I am loath to defend agents of the government, law officers or
| otherwise; but I have to agree with the decision here.
|
| Van Buren violated department policy, and perhaps other laws in
| his conduct. But he did not gain unauthorized access to a system.
| He already had authorized access - he just used it improperly.
|
| Similarly, if I were granted access to my company's production
| database to perform some kind of operation that required me to
| read/write data, and I used that privilege to access financial
| records of customers, I would certainly be violating my company's
| policy and likely some privacy and financial laws. But it would
| not be gaining unauthorized access, as I was explicitly granted
| access to that system - just for a different purpose.
| theginger wrote:
| Summary please.
|
| It's a lengthy document with quite complex language.
|
| The impression I got from reading the introduction is it was
| pretty clear which way the ruling went, but some of the comments
| here seem to be based on the opposite so there seems to be some
| confusion.
|
| So please can someone please sum it up in 1 or 2 lines?
| 1vuio0pswjnm7 wrote:
| "[E]xceed[ing] authorised access" (EAA) may occur where
| information accessed is located in "areas of the computer that
| are off-limits", e.g., "files, folders, databases". Access for
| an unauthorised purpose does not amount to EAA.
|
| I was aiming for 160 chars (2 lines of 80 chars). Not so easy.
| smsm42 wrote:
| The question was if you accessed the data which you are
| authorized to access (like police database for a policeman) but
| then used it for the purposes which are not part of your duties
| (like a corrupt policeman selling these data to criminals) can
| you be charged under CFAA. The SCOTUS said no, if you are
| authorized, then you are authorized, and the fact that you used
| the data later for an unauthorized purpose does not make the
| access itself a crime under CFAA (still could be a crime under
| a different law, of course). Thus, they restricted the reading
| of CFAA to a much narrower scope than the government wanted to
| apply.
| smsm42 wrote:
| Also this probably blows a huge hole in the "EULA violation
| is a CFAA crime" argument. I'd say it probably would not
| survive this decision.
| CA0DA wrote:
| How would the Aaron Schwartz case been affected if this decision
| had been made before?
| [deleted]
| dudeinjapan wrote:
| The SC made the right call here. In order to dissent, you have to
| claim that all improper/illegal acts done with computers
| constitute a form of hacking under the CFAA, since the prevailing
| laws do not "authorize" one to use the computer in that fashion.
___________________________________________________________________
(page generated 2021-06-03 23:00 UTC)