This ruling is really confusing for me. So I feel pretty strongly that what van Buren did is a massive abuse of authority and it warrants punishment. Yet so many people I usually agree with (SCOTUS judges, EFF, privacy lawyers) are all calling this a win.
Am I missing something? To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system, even if the owner explicitly prohibits it.
In other words, lets say I work at a gay hookup website and they grant me access to their production database as part of my job. If I start selling off information about user to third parties (say journalists), how can that be legal?
Aside, I do understand and agree with the argument allowing for spidering and screen scrapping. Like, if I buy a subscription to an online parts catalog, I should be able to use a bot to access that data in the same ways a human could.
Perhaps it would be helpful to consider an offline analogy. Suppose there were no computers involved and all the information was stored in files in a locked room.
Now Van Buren is given a key to access the filing room for his duties, and then uses his key to go in and look up the file on some license plate in exchange for money.
Clearly, this is a terrible breach of trust and authority. It should be against policy. He should be fired. Likely there should also be criminal statutes about police or government employees selling or abusing government records.
But he's not guilty of breaking and entering. He was given access to that data, even if this is not what he was supposed to be going in there for.
As one of the justices noted, if merely misusing computer access that you were otherwise allowed to access were a criminal offense, then potentially "an employee sending a personal email or checking sports scores on a work device" could be criminal, rather than just breaking a company policy.
I think there's a solid online analogy for HIPAA data.
Certain employees at a hospital have authorization to pull up medical records as part of their jobs. It is extremely illegal for them to view records that aren't required for specific work purposes. If a nurse is treating Jane Smith in room 203, it's OK and normal for her to look at Jane Smith's records. It's absolutely not OK, and punishable with huge fines, for her to pull up her ex-boyfriend's records just out of curiosity.
However, it's not a violation of the CFAA for her to look at her ex's data. It's 100% against HIPAA, but she didn't have to break into a computer system to view them. She was authorized to access the system. She wasn't authorized (by virtue of her work requirements) to pull up those specific, but as a nurse, the system permitted her to without going around any login prompts or doing anything harder than typing "John Doe" into the search box.
That's the distinction that the CFAA cares about. It's about breaking into systems, or, at least, that's why it was written and that's how the SCOTUS just ruled that it was meant for. It's about access to the system in general, not access to a specific record in the system. There are other laws that govern those specifics.
So the actual crimes are far better enforced by more accurate legislation. Not swept up by an overly broad, and borderlom irrational interpretation of the CFAA.
For ex: the accused is still authorized to access the computer. A cashier at a grocery store is authorized to open/close the til all day long.
These may present opportunities but shouldn't be the focus of any crime. The theft itself is already firmly in the criminal code as being illegal.
It seems to me like the issue here is that reasonable people disagree on where the boundary between work misconduct and criminal liability is, and that computers being involved are pushing that to the forefront in these kinds of cases.
I agree that defining where the boundary should be is tricky in practice, and it's a good point that this was hardly a unanimous decision, not to mention overruling the appealed ruling.
On the other hand, the underlying law, the CFAA, is about more than just workplace issues like this issue. Interpreting it broadly could mean that violating some terms of use could be a criminal offense, and I am glad that the court avoided that interpretation. It's better having this law be more specific to the intent of criminalizing "hacking" and leaving other laws or policies to deal with how one might abuse computers or networks that one is otherwise entitled to access.
>A person commits the offense of criminal trespass when he or she knowingly and without authority:
>(1) Enters upon the land or premises of another person or into any part of any vehicle, railroad car, aircraft, or watercraft of another person for an unlawful purpose;
> A person commits the offense of criminal trespass when he or she knowingly and without authority
Note emphasis.
Going in my house without my permission (without authority) to do something illegal is criminal trespass, based on what you quoted. If you have permission to be in my house and do something illegal while in my house then that is not criminal trespass, based on what you quoted. Whatever illegal thing you did is still illegal, but you weren't trespassing.
Exactly the same as what GP and the parent of that said about CFAA. The CFAA, as the Supreme Court clarified with this ruling, makes it illegal to break into a computer system. But if you have permission to be in a computer system and do something illegal with that access, whatever you did is still illegal, but you didn't break into the computer system so you didn't violate the CFAA. Making it an exact digital equivalent of your trespassing law.
If you read the opinions, the dissent reads the CFAA as if it were just importing common law property-based rules to the electronic realm. As it applies to property, authorization is absolutely contextual. If I give a key to a housecleaner and they use it one afternoon intending to steal something, that's trespass. If they just happen to steal something on the spur of the moment, that's not trespass. However, the CFAA has additional language ("exceeds authorized access") that would capture such behavior. As the dissent notes, you can absolutely be charged with criminal trespass if you, for example, enter a National Park to remove a grain of sand in violation of park rules; it's the intent to do something in violation of the terms of access that makes it trespass.
The majority opinion says that applying common law property-based meanings is not the right approach. Rather, the CFAA makes far more sense if you understand authorization and similar terms in the sense they're more often used in computer science, which turn on the design of the authentication and authorization system itself, and are agnostic to external policy, agent intent, etc.
>If you have permission to be in my house and do something illegal
Sure, but having permission to come in for a certain reason doesn't also grant you permission to come back lather for another reason. To use the analogy, the defendant had permission to enter the "house" for certain purposes. They subsequently entered it for an explicitly unauthorized purpose. That latter entry is trespassing.
Yeah, I don't buy this line of argumentation. Suppose the locked room is an apartment and the person with a key is your landlord. I'm pretty sure he's not authorized to enter and do whatever.
A plain reading of "authorized" means "having official permission or approval." Van Buren might have been "authorized" to access the system but he certainly wasn't "authorized" to access certain data for cash bribes.
I guess I'm at a loss to see this as a "win" for civil liberties, but maybe I'm missing something.
You're trying to make the same argument as in the dissent, but the Court decision spent something like parts of 5 pages defining the word "so" and how this specific law applies to this kind of situation.
It's a win for civil liberties because how an employer writes their policies should not potentially open an individual up to federal criminal prosecution under the CFAA specifically.
"Mr. Thomas challenged the verdict, arguing that his conduct was not illegal because his IT position provided him full access to the system and empowered him to 'damage' the system by deleting files or taking the system offline. Thus, any acts were not 'without authorization.' The Fifth Circuit rejected this argument, finding that the statute’s prohibition against exceeding authorized access applies to insiders who go beyond the permission granted them in order to cause damage."
I was initially going to say no, that when he went on to damage files, he caused material harm. He was not authorized to "damage" the system, and although he had access to the system and so gaining access in and of itself is not a crime, causing damage would be.
But then I looked into the case a bit closer and I start to think he has an argument for not being charged under the CFAA. As with many laws, intent matters, so it is possible that if his intent was to harm the business, there may well be charges that could be applied in that realm. And obviously he could be held civilly liable for damages, which is no different than any other employee who does something to damage their employer's equipment. Offline example - if I work at a construction company, and I wreck construction equipment because I wasn't happy my co-worker got fired, that isn't going to be a criminal offense, but the company will likely fire me and try to collect damages.
So I'm going to go back on my initial judgement and say that I think he may have grounds to get his conviction overturned and while he may be charged with other crimes, not sure it would come from the CFAA.
If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.
I really do think the court has opened Pandora's box on this one. They should've voided the statute for vagueness if that was the concern. As it stands now, it has to be one of the dumbest laws on the books.
> Foreign actors can simply hire sys admins to access whatever they want, no need for hacking
This is prosecutable under a myriad of existing laws. CFAA was specifically crafted to deter and punish hacking. As far as I know, that's still very much a thing.
> If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.
It's still illegal to steal IP. But no, you can't charge a janitor with keys to the whole building for breaking and entering if he uses those keys to steal something.
Companies have a responsibility to vet their employees, first. I don't know how that is affected by the CFAA being a bit more constrained than it was before, which was extremely overly broad.
I strongly disagree with your assessment (re: Pandora's box, dumbness), but I do think and acknowledge it is a law worthy of being replaced with one more up to date and more clear.
It prevents you from using someone else's credentials to access the system.
It prevents a whole bunch of other sophisticated attacks as well, but let's be honest, people just giving out their password or using a really weak password is the most likely scenario.
He'd presumably be guilty of other things but those might well be civil. IANAL. But when laws/interpretations change, they're not necessarily retroactive.
Private corporations are not legislatures. If you are an invited guest to my house and I say it's not ok to drink wine out of a shot glass, and instead you must always drink from a wine glass when in my house, and you do it, that's not a felony. If the family album is on the couch and I give it to you and say you can look at it, but don't look at the last two pages which have the pictures of the wife nude and you do that, that's not a felony.
You could, in both cases, theoretically argue that it's a trespass to chattels and get nominal damages, but that's a civil matter.
Yes, sure. But the point is that, under certain circumstances, the use of the key can exceed your level of authorization. Possession of the key isn't a get out of jail free card.
In your example, the information you sell would still be illegal, it just wouldn't have the added crime of hacking aka "unauthorized access" attached to it.
People are calling this a win because the CFAA, as it used to be interpreted, would have had you potentially charged for changing the url of this post from 'https://news.ycombinator.com/item?id=27389500' to this 'https://news.ycombinator.com/item?id=waffles'. This allowed cops/feds to charge you with crazy high penalties if they really wanted to make you sweat, see Aaron Schwartz
Some of the most memorable SCOTUS cases had less than noble test cases (ever hear of Miranda rights? https://en.wikipedia.org/wiki/Miranda_v._Arizona). SCOTUS isn't deciding if the defendant is a dirt bag or not, just if the very specific law is valid/applied correctly
The guy was also convicted of wire fraud and bribery. Those charges were not at question in this decision. This decision only says that looking up records you have access to is not hacking.
> So I feel pretty strongly that what van Buren did is a massive abuse of authority and it warrants punishment. Yet so many people I usually agree with (SCOTUS judges, EFF, privacy lawyers) are all calling this a win.
Whether Van Buren deserves punishment is a separate question from whether the legal theory the DoJ sought to use to get him punished was proper.
> Am I missing something? To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system, even if the owner explicitly prohibits it.
No, it doesn't. This is not a finding that the activity is Constitutionally protected, or even non-criminal in any broad sense, but that it is not within the scope of the criminal provisions of the CFAA, which is a win, because the interpretation of the CFAA necessary to make it applicable is ludicrously broad.
> In other words, lets say I work at a gay hookup website and they grant me access to their production database as part of my job. If I start selling off information about user to third parties (say journalists), how can that be legal
It shouldn't be, but that doesn’t justify abusing the CFAA into a blank prosecutorial check.
"That man's bad" / "There's no law against that"
"Whilst you talk he's gone" / "And go he should, if he were the devil himself until he broke the law".
> This ruling is really confusing for me. So I feel pretty strongly that what Van Buren did is a massive abuse of authority and it warrants punishment.
I wouldn't disagree with your judgement here, but you wouldn't charge him with murder right? Neither should you charge him with hacking.
> If I start selling off information about user to third parties (say journalists), how can that be legal?
Well, by default it would be legal, except I imagine any employment contract would have a provision around privacy, disclosure, and trade secrets, etc. You'd be in violation of the contract, and since you made money from it, some form of fraud or similar would apply.
The question is, would you consider that the same crime as someone without access to the production database breaking in and grabbing the data, and perhaps just giving it away for free (so they'd avoid committing a bunch of other criminal acts).
> To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system
That is not the meaning of the ruling. Nothing precludes trying someone for other crimes.
> Am I missing something? ... it warrants punishment.
The decision does not prevent punishment. It narrows the scope of how the CFAA can be applied. Had it been interpreted as broadly as the government asked, terms of service violations would be open to Federal prosecution. The EFF article lays out some particularly troublesome implications, like criminalizing the use of your work computer for personal matters.
> If I start selling off information about user to third parties (say journalists), how can that be legal?
It's not. The decision simply states that because you were given access, you can't be charged specifically for hacking. You would still on the hook for stealing and selling the data.
The majority are happy to see that minor or even trivial access of things people aren't "supposed" to look at--even though they have access to systems--are no longer CFAA violations. The assumption is that if it isn't trivial they're probably violating some other law or at least doing something they'll be fired for.
That said, I have sympathy for the dissent as well which essentially argues that the majority is drawing an awful fine distinction here. i.e. so long as you're OK to access a system for some purpose, you're fine so far as the CFAA is concerned.
> so long as you're OK to access a system for some purpose, you're fine so far as the CFAA is concerned
This is a pretty gross simplification of the position by the majority. I get it was an example and maybe a bit exaggerated, but wanted to point this out. They even specifically said that you have to have the specific access to the information you are retrieving - the example (paraphrased) was if you have access to folder X, but not folder Y, and you then access folder Y, you are now in violation.
If anything, the minority was basically being, IMO, too trusting that people with the authority to bring these charges would be reasonable and exercise it in an unbiased and even manner.
Fair enough. I was using "system" in the sense of collection of resources/information--not necessarily everything connected to it in some manner.
I'm not unhappy with the result. I also think it draws a very narrow line that doesn't really exist in the law (which is why you see Thomas et al dissenting).
"This ruling is really confusing to me. So I feel like what Van Buren did is a massive abuse of authority and it warrants punishment."
The Supreme Court decision does not by itself exonerate Van Buren. It just remands the case to the lower court to decide again, taking into account the clarification of the CFAA's applicability. Van Buren could still be found guilty and punished, on other grounds.
Just because some action involves a computer (database) and does not violate the CFAA does not necessarily mean it will not trigger potential culpability or liability under other criminal or civil law.
If ruled the other way then basically everyone who works a desk job would be breaking the CFAA daily. Let me explain.
If an employer only allowed employees to use their work computers for work (I assume most do, at least officially) as soon as an employee does anything personal on it (checks FB, checks HN, etc) even if on lunch break, they have exceeded their authorization, broken the law under the CFAA, and face up to 10 years in prison.
That's incorrect. If you read the full statute, it has to be unauthorized access combined with some sort of theft of data, or access of governmental records. It wouldn't apply to browsing public sites. The specific subsection that was applied to Can Buren lays out three cases. Unauthorized access plus obtaining:
(A)information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B)information from any department or agency of the United States; or
Thanks for posting this, I didn't realize there was a such a tangle of definitions as to what was accessed.
That said, doesn't this pretty much include anything on the web?
(a)Whoever—
(2)intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(C)information from any protected computer;
where a "protected computer" is:
(e)As used in this section—
(2) the term “protected computer” means a computer—
(B) which is used in or affecting interstate or foreign commerce or communication
seems like that would catch an awful lot of webservers.
My understanding of the issue is that the prosecutor chose to use the CFAA rather than going after the real crime because of the circumstances.
The accused in the case was caught in a sting operation. The police created a fake situation where they pretended to have an undercover agent, and tries to see if the accused would interfere with the case. He did. The prosecutor however did not charge the accused over obstruction of justice, but rather CFAA and hacking charges. I would guess that the reason is that the prosecutor thought it was easier than charging someone with interfering with a fake case.
From what I understand, courts and judges do not like it when either side try to be clever. CFAA is not a tool to be used when the prosecutor want to avoid a more difficult case, and so it needed to be limited in scope.
All the ruling says is that he didn’t violate the CFAA. It doesn’t say anything about bribery laws, selling government information, etc
It is typical for a prosecution to include every charge possible. In this case they included the CFAA, and the Supreme Court said that particular charge was an invalid application of that particular law. It has no effect on any other charges, and no effect on any other laws.
The CFAA is a law about how you access systems, so this ruling defines "authorization" under the CFAA as "had legitimate access to this system" only.
There are many other laws that you can still be charged with that govern what you access, irrespective of how, ie copyright, child porn, confidential information.
The people who view this as a win are worried that if "authorization" is defined as "against any rule, made by anyone" then the CFAA could be used to criminalize almost anything online. Note that restriction of the CFAA does not let you off the hook of other laws.
The people who worry about this are worried that judges had to use a fair bit of extrapolation and guessing as to the intent and effects of the law because the wording is pretty vague, and probably problematic for internet activity if interpreted very narrowly.
Van Buren violated policy. He should have been terminated. Van Buren was prosecuted for a criminal act not narrowly reflected by the law he was prosecuted against. The SC majority opinion mentioned exactly this.
> Am I missing something? To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system, even if the owner explicitly prohibits it.
Yes, you are confusing a policy violation for something more grand. I suspect most people are confused on this matter due to a selection bias favoring criminality for a violation of public trust.
What he did was despicable and a grotesque abuse of his position, but it had nothing to do with hacking.
The prosecutors decided to charge him under the CFAA because the data he sold for money was stored in a computer system. Van Buren accessed data he was authorized to access, using his own perfectly valid credentials. Because of this, the Supreme Court says it is not a violation of the Computer Fraud and Abuse act. They say that a person cannot be charged under the CFAA just because the crime they committed involved a computer.
Well, van Buren was convicted of a felony wire fraud charge as well with an equal length concurrently served sentence as the CFAA charge. So there was another crime we could charge him with, and we did successfully. The only difference is the lack of a CFAA charge on his record and some good case law about what the CFAA actually means so that hopefully it'll only be pushed against true computer crimes rather than crimes that happen to involve a computer.
Van Buren was also convicted of wire fraud for the same act, with a concurrent prison sentence with the CFAA count of the same length (18 months). So at least in this case he's getting the same punishment either way for his actions.
Reducing the scope of the CFAA in case law just means that we take the teeth out of a overused and honestly crappy law that's ruined lives without reason to.
> So I feel pretty strongly that what van Buren did is a massive abuse of authority and it warrants punishment.
After reading the background info in the Supreme Court decision PFD... Agreeing to accept a $5000 cash bribe from some sketchy dude for information available only to law enforcement, undoubtedly falls within many existing anti-corruption laws that he could have been prosecuted under.
Van Buren clearly committed a heinous act and should be punished.
The issue is that this is a hacking statue. He didn't hack into the system, he just used it in a bad way. The punishment should be the same if he got it from a filing cabinet he had the keys to.
The takeaway isn't "If you have access, everything you do is legal" -- not for computers, not for filing cabinets.
It isn't saying it is legal, just that it doesn't run afoul of the CFAA and become a federal computer hacking crime. There very well be other laws and repercussions, whether at different levels, like State, or being fired, etc.
It is refreshing because it doesn't put the risk of federal criminal prosecution at the whim of how an employer writes their policies.
> I should be able to use a bot to access that data in the same ways a human could.
I don't think even this is something that follows naturally.
For example, a human can sit next to the highway and write down license plates. However, it is still a crime if you use a computer to do the same (and perhaps sell a huge database containing this information).
Just because someone did something wrong and should be punished doesn't mean they committed murder.
Just because a computer was used doesn't mean it was "hacking".
The Supreme Court essentially limited the scope of the CFAA to unauthorized access of a computer system. That is a good thing. The alternative is your employer could institute a policy change in what you can use internal systems for and you could find yourself on the wrong end of a CFAA "hacking" criminal prosecution. That's not hyperbole.
On a side note, we once again find Thomas on the wrong side of history. The dissenters have gone well beyond what they might argue is strict textualism to simply supporting broad authoritarianism.
Aaron Swartz is frequently brought up here as a prime example of prosecutorial overreach. For example, he was charged with "hacking" with the (then) interpretation of the CFAA, which then compounded to other charges, like breaking and entering to commit a felony (CFAA "hacking" was that felony).
the decision is not about other laws for criminally misusing information, as in your example, it is about the fact that the CFAA is a bad law written by legislators who did not understand (and appeared to be afraid of) computers.
> Am I missing something? To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system, even if the owner explicitly prohibits it.
What you are missing is that you are assuming that the CFAA is the only means by which Van Buren should be punished. So you are assuming that either the CFAA covers this abuse, or he gets off completely free.
The CFAA isn't the only means to deal with his conduct. Although it doesn't apply, he is still liable to be punished under whatever regime he was given access to it.
In simplified form:
He was granted access to the system pursuant to his employment - ie he was able to log into it, whereas the average citizen can't. Whatever conditions are applicable to that grant are the ones to apply when he abuses that access (eg if the policy says "you can only access this for these purposes, or you will be fired" then if he accesses it for a different purpose, they can fire him).
That is quite separate from the CFAA.
The CFAA is a parallel source of obligations, and is part of the criminal law.
Just because Van Buren breached the terms on which his employer let him access the database doesn't necessarily mean he committed a crime as well.
What SCOTUS did was say that the criminal law provision essentially deals with the "technical" side of access:
* if you get into a computer that you have no access to (ie hacking into it), you breach the relevant section.
* if you are authorised by the operator to have the technical means to access to certain info in the computer (eg permissions), and you do something to access other material, you breach the section (eg escalation of privileges)
* if you have the technical means to access the computer (eg log/password) and you access material that is permitted under those means (ie the user account), but you are not authorised to have that means of access (ie stolen login credentials), you also breach the section.
The problem with the interoperation that SCOTUS rejected was that under EULAs, the provider could essentially say "you can use our systems to log in and view information. But if we decide we don't like you, or you haven't paid your bill, or if you decide you are going to vote for politician X in the upcoming election, then if you actually view any information while you are logged in, you breach the act and commit a crime"
The rejected interpretation said: "authorised does not just mean you have been provided with the technical means to access the information, but also any additional conditions put on your use of the technical means by the person who granted it, which may change at any time" (eg change of policy, what is going through the user's mind)
So the answer to your observation:
> I feel pretty strongly that what van Buren did is a massive abuse of authority and it warrants punishment.
is: it is exactly that. But it is punishment to be delivered via the process granting him the access to the information (ie whatever sanctions apply to violation of departmental policy). What he did was a breach of that policy, leaving him open to whatever sanctions are provided in it. But it is not also a crime under the CFAA.
The opinion doesn't mean they can't be held criminally liable for anything they do with access to that system, just that the CFAA isn't the law that is broken. That means that the punishment or restitution imposed, if any, has to do with some other harm that was caused, over and above the mere fact of, for example, your "intrusion" into Facebook's computers by posting a photo of a cartoon character and thus violating Facebook's terms of service.
In your gay-hookup-website example, you might be civilly or criminally liable in various states of the US under a variety of laws that have nothing to do with computers. For example:
· an invasion-of-privacy tort or negligent-infliction-of-emotional-distress tort due to publicly disclosing private facts about the plaintiffs;
· a breach-of-contract tort or tortious-interference tort or negligence due to damaging your employer's business relations with the users (especially if you signed an NDA);
· a misappropriation-of-trade-secrets tort arguing that the users' information is a "trade secret" of the employer;
· a breach-of-fiduciary-duty tort claiming that if someone was going to get paid for the users' information it should have been your employer and not you;
· a breach-of-confidence tort claiming that your employer owed the users a duty of confidentiality, and you correspondingly owed it to your employer, and that you breached it by selling the data to journalists; or
· a conversion tort because you used the computer system in a way you were not authorized to use it.
(Also, the employer can probably recover whatever you were paid with an unjust-enrichment tort.)
Aside from being a tort, trade-secret theft is also a federal crime, so if your employer can persuade a prosecutor to go after you, they may be able to get you jail time. IANAL but I think the trade-secret case here is kind of weak, because in your scenario I think the journalist isn't running a competing gay-hookup website, so they aren't competing with your employer. There's also a crime of "criminal conversion", which I think is also kind of a stretch, since the employer can still use the computer system.
The key takeaway for me is how this decision affects port scanning. According to the article:
> Van Buren is really good news for port scanning, for example: so long as the computer is open to the public, you don’t have to worry about the conditions for use to scan the port.
How is port scanning different legally from brute forcing passwords? Iterating integers is fine, iterating the dictionary is not? What if there's an integer ID in the URL but it's MD5 hash'd and I recognize for what it is and iterate integers and MD5 them?
It’s not about the techniques used, it’s about the intent of the functions. Remember that we’re in the legal domain and sometimes a common sense argument prevails even if there are some potential holes (if a hole is discovered, a future court case can worry about it). Port scanning is like looking at the outside of a house and noting where the doors and windows are. Brute forcing a password is like picking a lock to gain access to something, or possibly identity theft to authenticate yourself as someone else. Judges can easily understand the difference even if the technical method might be similar. Nobody is going to believe you “port scanned” your way into someone’s online banking access and took money out of their account.
> How is port scanning different legally from brute forcing passwords?
Because humans are trivially able to recognize the difference between those two activities. A judge that has that case in front of them can _really_ easily see the difference between those activities.
I think brute-forcing passwords offline isn't illegal under the CFAA.
Using a password you got that way would be illegal.
Similarly, password stuffing (just trying many passwords on the login form) would be illegal, since you are trying to gain access. Not sure how that works if you are not successful though.
Port-scanning would be fine. Interesting edge case is, what happens if you port-scan, find an open telnet port, and use it to get a shell.
There is no authentication, but does that mean you are authorized?
My gut says that logging in to such a telnet port (when the device is not yours) is a CFAA violation. Just like walking in to a random house when the door is open is still illegal.
For sure, it's been a while but IIRC the CFAA (and UK's CMA) refer to use of certain legal classes of computer "without authorization" or "exceeding authorization". Legal authorisation is an active state rather than something that happens passively.
This should also make the use of open wireless access points legally protected. It was always ridiculous that an AP could broadcast "come join me" incessantly but it was potentially infringing to actually join and use the advertised network.
The problem is that the law was bad and so connecting to an unauthorized network had to happen before agreeing to ToS. It also put the onus on normal people to carefully pick SSIDs instead of on AP owners to secure their network.
I mean he’s dead and that’s an ok result for the police, being guilty or not doesn’t really matter. And we’ll never know if this ruling would be sufficient because again, he’s dead.
Generally good news. I just hope they have specific laws about abusing government data. For example, the LEO taking money to do searches of the database and releasing that otherwise protected. information.
Am I missing something? To me, this ruling means that if a person is granted technical access to a computer system, then that person cannot be held criminally liable for anything they do with access to that system, even if the owner explicitly prohibits it.
In other words, lets say I work at a gay hookup website and they grant me access to their production database as part of my job. If I start selling off information about user to third parties (say journalists), how can that be legal?
Aside, I do understand and agree with the argument allowing for spidering and screen scrapping. Like, if I buy a subscription to an online parts catalog, I should be able to use a bot to access that data in the same ways a human could.