> A criminal investigation into whether or not this was really accidental would be entirely warranted here. If there was intent to access this information without authorized access that is criminal.

I don't understand this. Claiming that something is an accident and not intentional usually isn't much of an excuse where it comes to the criminal acts.

The section he quoted says “knowingly and with intent”.

Really? Mens rea is a necessary component of the statutes for many crimes.

Literally begins with

>knowingly and with intent

"obtaining anything of value" could be satisfied by getting personal data which today is akin to profit, but the "intent to defraud" would be hard to prove in court, save for some very broad and dangerous intepretation of "intent" which could equal sloppiness to malice, a precedent that might ruin the lives of honest people who just happen to be clueless sysadmins or developers. Totally agree though on investigating whether this was really accidental or not; if it was done on purpopse I would expect FB to be hit really hard.

It wouldn't be that hard if the court orders a search of internal memos, emails, and chats to see if this was ever mentioned internally.

I think the "intent to defraud" (scienter) requirement's going to present a proof hurdle. Not necessarily insurmountable but it's still there.

Not a lawyer, but at least in my jurisdiction, fraud requires a monetary loss by the victim.

Generally, civil law is better suited for this sort of thing, no matter how good a pitchfork feels in your hand. As but one of the reasons, the required standard of proof is much lower.

Yeah, 18 USC 1030 (a)(2)(C) might be a better fit:

> Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section.

(The definition of "protected computer" encompasses any computer that is "used in or affecting interstate or foreign commerce or communication".)

Yes. This. Facebook just became one of the biggest illegal hackers ever. I really hope the feds bring charges.

But if you agreed to it in their TOS, is it illegal?

No.

There’s got to be a monetary loss here. If there isn’t precedent for calculating that loss, such precedent should be established. Our email contacts are valuable, especially at 150m user scale. We could have all banded together and sold them, had Facebook not stolen them. These users should be compensated.

Of course. If the email contacts were of no value, Facebook wouldn't be taking them from accounts. People tend not to to steal worthless assets. Unfortunately, monetary loss for the user may be tougher to prove than monetary gain for the thief.

> There’s got to be a monetary loss here. Our email contacts are valuable.

Why? Nobody lost their contacts, so what’s the $ amount it cost them? Facebook claims they’re deleting them. If that’s true, then Facebook isn’t gaining from the contacts. If users don’t lose anything and if Facebook doesn’t gain anything, what is the monetary loss?

> especially at 150m user scale

Where’s that number coming from? The article talks about 1.5 million users.

> We could have all banded together and sold them, had Facebook not stolen them.

So while it’s entirely true that contacts should never be copied without consent, and that’s exactly what happened, I guess don’t forget that these users consciously gave Facebook their passwords. No matter how much I trust what someone says they’ll do, my email account password gives access to everything in my email account, I’ve always thought it was a terrible terrible idea to ever do it when connecting services together, for this very reason. I’m saying it’s partly the users responsibility, and the outcome here is predictable, because it has been predicted before by many people.

BTW, nothing stopping you from banding together and selling email addresses now, if you think it’s a good idea... the blip with Facebook is not in any way preventing that from happening.

>don’t forget that these users consciously gave Facebook their passwords.

There is a lot of legal precedence about social engineering and how to prosecute it, this would completely fall under fraud. If I ask someone for their password to perform some service and they then I copy all of their data, that is a crime regardless of how stupid they are.

This really doesn't matter at all in a case of fraud if you gave the password willingly, it is under false pretense. If someone asks me to give them something so that they can provide a service or take those things as an investment. I willingly give them those things yes, but we have a written, verbal, or implied contract that they will do and will not do certain things with that information. Failure to follow our agreement and instead robbing me is a crime.

Hey I’m 100% with you. I’m not defending Facebook, and it’s crazy they ask for passwords. But just because Facebook’s at fault doesn’t mean that it’s okay as a user to give out your password, nor does it mean that you lost any money when contacts are copied, right? The words “stealing” and “robbing” don’t really convey what happened here, even in the case Facebook isn’t telling the truth.

You are saying that the words 'rob' and 'steal' don't convey what has happened here, but this is only true in the colloquial sense. There is a good reason why many legal codes and laws start off with a exhaustively long list of definitions. Legal definitions often are different in very subtle ways that maybe aren't apparent at first glance.

If you don't think that this is the proper framing, maybe consider a different one. It is clear that there is definitely room to interpret this as a civil or criminal act regardless of how the parties craft their arguments. For example, imagine an employee that copies company data, even if it has no actual value under their authorized username/password on the last day of work. This is often charged as a clear criminal offense. So to reiterate, employee with authorization to access dataset, copies a large dataset with no obvious monetary value on their last day of work, but one that they weren't given permission to copy. There are cases that have been literally this, and it is easy to see how this incident could line up with this legal approach.

I think you are fixating too much on a critique of the specific charge listed by the top of this thread. I was defending the idea that there would probably be a way to go about mounting a case in that way. You seem to think that this is the incorrect legal framing for this, which is totally fine. The legal process is more of a subjective art than a science.

What made you think I was fixating on anything? I just agreed with you that Facebook's action is at least negligent and could be criminal. I guess I'm fine with the word stealing in the sense of information theft. Still, Facebook claims it was an accident and that the data is being deleted. It might have been intentional, but I'd wait to call it intentional until proven, even though they've done it intentionally in other cases. :)

All I'm really saying is, no matter what, don't give out your password. And if you do, don't pretend to be shocked when something bad happens.

> Nobody lost their contacts, so what’s the $ amount it cost them?

Opportunity cost? If Facebook has these contacts now, then their third parties have them, so those contacts are no longer as valuable, if valuable at all.

> Where’s that number coming from? The article talks about 1.5 million users.

My bad, added two orders of magnitude by accident. I knew something was off there. Thanks for the correction.

I think 'monetary loss' has a bit more of a meaning of actual money or assets lost, not potential to earn money that you weren't really planning on using being lost. Not saying I think it's not an issue! But I don't think the term 'monetary loss' is applicable.

Yeah you are probably right. For shame. Also, thanks for Graal!

“150m user scale” is an expression speaking to Facebook’s gain, not to any users’ loss.

What’s needed is serious privacy legislation, not creative reinterpretation.

Unfortunately not a lawyer so even my creative reinterpretation is moot but I was thinking along the lines of class action. Why can’t that group of people form a class? Is there really no damage here?

Of course we need actual fundamental privacy protection.

The statute says "anything of value." Here the thing of value would be a person's contact list. The attempt to gain this thing of value through deceit (telling the person you are trying to verify their account and using the access they give you to steal their contact list) would be the fraudulent act.

The fact that Facebook put a system in place to obtain these contact lists is evidence on its own of their value, but that value could also be quantified without much difficulty.

The only real question is: was dropping the consent form without removing the feature an honest mistake or was it done because somebody decided it would result in a lower bounce rate and thus more money for Facebook.

> Not a lawyer, but at least in my jurisdiction, fraud requires a monetary loss by the victim.

Note this is not a state law as quoted, but it's the USC

If criminal law isn't capable of handling a hacker who hacked 1.5 million victims, criminal law is broken.

(If Facebook changed its name to Lulzsec2.0 of course the FBI would be very interested in the situation.)

And while the previous commenter quoted the part of the CFAA that mentions fraud, fraud isn't necessary to violate the CFAA. All you need to do is exceed authorized access to any internet-connected computer. Is there any doubt that Facebook has admitted to doing that?

It's not hacking. It's social engineering. It's no different than some smooth talking "Nigerian" getting your grandmother to cut a check. No systems were hacked here, no technical errors or design loopholes were exploited. People were persuaded into doing things that gave Facebook the access it needed to obtain the contact info.

You are making a distinction that the criminal justice system does not make.

There's no law that makes "hacking" a criminal offense. This particular case is just manipulation/social engineering so you probably shouldn't be calling it "hacking" on a message board that's mostly populated by software professionals to whom "hacking" has a meaning that does not include what is basically a con-man trick (though I see you have already edited the parent comment to reflect this).

We were literally just discussing the law that makes hacking a criminal offense. The Computer Fraud and Abuse Act makes it a federal offense; most if not all states also make it a state crime; most if not all other countries also make it a crime in their jurisdictions.

And yes, tricking someone into giving up their password is hacking (as any hacker will tell you), and it is a crime to use that password to swipe someone's contact database.

I'm not sure I can continue this thread with you because it seems you are very confused. I have also not edited any comments here.